chromium-112.0.5615.49-1.el7
update to 112.0.5615.49. Fixes the following security issues:
CVE-2023-1528 CVE-2023-1529 CVE-2023-1530 CVE-2023-1531 CVE-2023-1532 CVE-2023-1533 CVE-2023-1534, CVE-2023-25193
chromium-112.0.5615.49-1.el9
update to 112.0.5615.49. Fixes the following security issues:
CVE-2023-1528 CVE-2023-1529 CVE-2023-1530 CVE-2023-1531 CVE-2023-1532 CVE-2023-1533 CVE-2023-1534, CVE-2023-25193
A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2. Affected by this issue is some unknown functionality of the file src/main/java/com/unboundid/webapp/ssam/SSAMController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.1.3 is able to address this issue. The name of the patch is f64b10d63bb19ca2228b0c2d561a1a6e5a3bf251. It is recommended to upgrade the affected component. VDB-225362 is the identifier assigned to this vulnerability.
A vulnerability, which was classified as critical, has been found in Dynamic Widgets Plugin up to 1.5.10. This issue affects some unknown processing of the file classes/dynwid_class.php. The manipulation leads to sql injection. The attack may be initiated remotely. Upgrading to version 1.5.11 is able to address this issue. The name of the patch is d0a19c6efcdc86d7093b369bc9e29a0629e57795. It is recommended to upgrade the affected component. The identifier VDB-225353 was assigned to this vulnerability.
“Zero-day threat.” It may sound like the title of a hit film, yet it’s anything but.
It’s a previously unknown vulnerability that hackers can exploit to unleash unforeseen attacks on computers, smartphones, or networks—making essentially any connected device or system potentially susceptible to attack. After all, today’s devices and code are complex and riddled with dependencies. Even with testing, vulnerabilities can remain elusive, until developers or hackers eventually discover them.
The term “zero day” gets its name from the age of the threat, meaning that developers and security professionals have had “zero days” to address the threat, making it potentially quite damaging.
And it’s not uncommon for major zero-day threats to make the headlines:
In 2021, reports arose of Minecraft players coming under attack. Hackers discovered a vulnerability in the code that allowed them to take control of the computer playing the game, along with the files and information it contained. As it turned out, the threat was far more widespread. The vulnerable code involved a commonly used Java library, used by thousands and thousands of different applications worldwide, not just Minecraft, causing businesses, organizations, and governments to scour their applications for the affected Java library and put measures in place to mitigate the threat.
Spring 2022 saw the rise of a vulnerability dubbed “Follina,” which allowed hackers to remotely take control over a system using a combination of a Microsoft Word document and a diagnostic support tool—which could put a person’s sensitive documents and account information at risk. Microsoft subsequently issued a security patch that disabled the attack vector.
Corporate networks fall victim to zero-day vulnerabilities as well, such as in 2014 when hackers used an undiscovered vulnerability to break into the network of Sony Pictures Entertainment. Hackers raided unreleased copies of movies, scripts, and other information as part of the attack.
Back in the early days of the internet, hackers typically released malware that was an annoyance, such as scrolling profanity across the screen or crashing it the computer infected with it to crash. The examples above show how greatly that has changed.
Today, hackers use malware to make a profit, whether by holding your device and data hostage, tricking you into revealing your personal information so the hacker can access your financial accounts, or by installing spyware that secretly steals information like passwords and account info while you use your device.
That’s what makes zero-day threats so dangerous for us today. Hackers can exploit zero-day vulnerabilities through different means, but traditionally web browsers have been the most common, due to their popularity. Attackers also send emails with attachments, or you might click a link in the body of an email that automatically downloads malware. All of these could now be putting you at risk.
Likewise, security measures have come a long way since the early days. In particular, the antivirus applications included with today’s comprehensive online protection software have technologies in place that directly combat zero-day threats—specifically artificial intelligence (AI) and machine learning (ML).
Without getting too technical about it, strong antivirus uses AI and ML to sniff out malware by looking at how an application or device is behaving and if that behavior looks suspicious based on past patterns. In other words, strong antivirus is smart. It can detect, block, and remove zero-day threats before they can do their damage.
So, just as hackers exploit zero-day vulnerabilities, you can thwart zero-day vulnerabilities with strong antivirus.
Today, McAfee registers an average of 1.1 million new malicious programs and potentially unwanted apps (PUA) each day, which makes zero-day protection an absolute boon for anyone who goes online—and online protection like ours offers some of the strongest antivirus protection you can get, as recognized by independent third-party labs.
Online protection software does a few other things for you as well when it comes to malware attacks:
It alerts you of suspicious links in emails, texts, and direct messages before you click or tap on them, which can prevent bad actors from infecting your device with malware.
It can also alert you of dangerous websites while you surf, once more steering you clear of phishing websites and other sites that host malware.
And it includes a firewall, which can protect your network and the devices on them from attack by filtering both incoming and outgoing traffic.
Beyond using online protection software with strong antivirus, you can take a few more steps that will keep you safer still:
In addition to often providing new features and functionality, updates fix the vulnerabilities in your apps and operating systems, which strengthens your protection against malware.
The more software you have, the more potential vulnerabilities you have. By uninstalling old apps, you leave hackers with fewer avenues of attack. Take a look at your computers and smartphones. Delete the old apps you no longer use, along with any accounts and data associated with them as well. Another benefit is that this can potentially reduce your risk if the companies behind those apps get hit by a data breach.
This is a good rule of thumb in general, but it can definitely help you protect against zero-day attacks. The same holds true for email attachments. Never open them from unknown senders. And if you receive one from a friend, family member, or co-worker, take a quick second to confirm that they sent it. Some attackers masquerade as people we know, and in some cases hack their accounts so they can spread malware in their name.
As the number of apps and devices on the internet have seen explosive growth in recent years, so has the volume of malware—much of it zero-day threats that take advantage of newly discovered vulnerabilities. Hidden within millions and millions of lines of code, dependencies, and interactions, zero-day threats will remain the rule, rather than the exception.
However, antivirus technology has more than kept up, particularly by leaning on smart technologies that can detect zero-day threats before they become known threats. Using strong antivirus, as part of online protection software that contains even more security features still, remains an absolute best practice for anyone who spends any kind of time online.
The post What is a Zero-Day Threat? appeared first on McAfee Blog.
SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the customer parameter of the orderadd.php file
A vulnerability classified as critical has been found in CP Appointment Calendar Plugin up to 1.1.5. This affects the function dex_process_ready_to_go_appointment of the file dex_appointments.php. The manipulation of the argument itemnumber leads to sql injection. It is possible to initiate the attack remotely. The name of the patch is e29a9cdbcb0f37d887dd302a05b9e8bf213da01d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-225351.
The last step with your cybersecurity roadmap involves examining the plan you’ve implemented, revising and streamlining, and starting the process anew.
Here’s an experiment being run by undergraduate computer science students everywhere: Ask ChatGPT to generate phishing emails, and test whether these are better at persuading victims to respond or click on the link than the usual spam. It’s an interesting experiment, and the results are likely to vary wildly based on the details of the experiment.
But while it’s an easy experiment to run, it misses the real risk of large language models (LLMs) writing scam emails. Today’s human-run scams aren’t limited by the number of people who respond to the initial email contact. They’re limited by the labor-intensive process of persuading those people to send the scammer money. LLMs are about to change that. A decade ago, one type of spam email had become a punchline on every late-night show: “I am the son of the late king of Nigeria in need of your assistance….” Nearly everyone had gotten one or a thousand of those emails, to the point that it seemed everyone must have known they were scams.
So why were scammers still sending such obviously dubious emails? In 2012, researcher Cormac Herley offered an answer: It weeded out all but the most gullible. A smart scammer doesn’t want to waste their time with people who reply and then realize it’s a scam when asked to wire money. By using an obvious scam email, the scammer can focus on the most potentially profitable people. It takes time and effort to engage in the back-and-forth communications that nudge marks, step by step, from interlocutor to trusted acquaintance to pauper.
Long-running financial scams are now known as pig butchering, growing the potential mark up until their ultimate and sudden demise. Such scams, which require gaining trust and infiltrating a target’s personal finances, take weeks or even months of personal time and repeated interactions. It’s a high stakes and low probability game that the scammer is playing.
Here is where LLMs will make a difference. Much has been written about the unreliability of OpenAI’s GPT models and those like them: They “hallucinate” frequently, making up things about the world and confidently spouting nonsense. For entertainment, this is fine, but for most practical uses it’s a problem. It is, however, not a bug but a feature when it comes to scams: LLMs’ ability to confidently roll with the punches, no matter what a user throws at them, will prove useful to scammers as they navigate hostile, bemused, and gullible scam targets by the billions. AI chatbot scams can ensnare more people, because the pool of victims who will fall for a more subtle and flexible scammer—one that has been trained on everything ever written online—is much larger than the pool of those who believe the king of Nigeria wants to give them a billion dollars.
Personal computers are powerful enough today that they can run compact LLMs. After Facebook’s new model, LLaMA, was leaked online, developers tuned it to run fast and cheaply on powerful laptops. Numerous other open-source LLMs are under development, with a community of thousands of engineers and scientists.
A single scammer, from their laptop anywhere in the world, can now run hundreds or thousands of scams in parallel, night and day, with marks all over the world, in every language under the sun. The AI chatbots will never sleep and will always be adapting along their path to their objectives. And new mechanisms, from ChatGPT plugins to LangChain, will enable composition of AI with thousands of API-based cloud services and open source tools, allowing LLMs to interact with the internet as humans do. The impersonations in such scams are no longer just princes offering their country’s riches. They are forlorn strangers looking for romance, hot new cryptocurrencies that are soon to skyrocket in value, and seemingly-sound new financial websites offering amazing returns on deposits. And people are already falling in love with LLMs.
This is a change in both scope and scale. LLMs will change the scam pipeline, making them more profitable than ever. We don’t know how to live in a world with a billion, or 10 billion, scammers that never sleep.
There will also be a change in the sophistication of these attacks. This is due not only to AI advances, but to the business model of the internet—surveillance capitalism—which produces troves of data about all of us, available for purchase from data brokers. Targeted attacks against individuals, whether for phishing or data collection or scams, were once only within the reach of nation-states. Combine the digital dossiers that data brokers have on all of us with LLMs, and you have a tool tailor-made for personalized scams.
Companies like OpenAI attempt to prevent their models from doing bad things. But with the release of each new LLM, social media sites buzz with new AI jailbreaks that evade the new restrictions put in place by the AI’s designers. ChatGPT, and then Bing Chat, and then GPT-4 were all jailbroken within minutes of their release, and in dozens of different ways. Most protections against bad uses and harmful output are only skin-deep, easily evaded by determined users. Once a jailbreak is discovered, it usually can be generalized, and the community of users pulls the LLM open through the chinks in its armor. And the technology is advancing too fast for anyone to fully understand how they work, even the designers.
This is all an old story, though: It reminds us that many of the bad uses of AI are a reflection of humanity more than they are a reflection of AI technology itself. Scams are nothing new—simply intent and then action of one person tricking another for personal gain. And the use of others as minions to accomplish scams is sadly nothing new or uncommon: For example, organized crime in Asia currently kidnaps or indentures thousands in scam sweatshops. Is it better that organized crime will no longer see the need to exploit and physically abuse people to run their scam operations, or worse that they and many others will be able to scale up scams to an unprecedented level?
Defense can and will catch up, but before it does, our signal-to-noise ratio is going to drop dramatically.
This essay was written with Barath Raghavan, and previously appeared on Wired.com.
It was discovered that Irssi incorrectly handled certain internal routines.
An attacker could possibly use this issue to cause a crash.
