Daily Archives: September 20, 2023

Advisories

traceroute-2.1.3-1.fc37

Read Time:6 Second

FEDORA-2023-734aa51998

Packages in this update:

traceroute-2.1.3-1.fc37

Update description:

Update to 2.1.3

Read More

Advisories

CVE-2022-3596

Read Time:11 Second

An information leak was found in OpenStack’s undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.

Read More

Advisories

Drupal core – Critical – Cache poisoning – SA-CORE-2023-006

Read Time:1 Minute, 27 Second
Project: 
Drupal core
Date: 
2023-September-20
Security risk: 
Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default
Vulnerability: 
Cache poisoning
Affected versions: 
>=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4
Description: 

In certain scenarios, Drupal’s JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Drupal Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.

Solution: 

Install the latest version:

If you are using Drupal 10.1, update to Drupal 10.1.4.
If you are using Drupal 10.0, update to Drupal 10.0.11.
If you are using Drupal 9.5, update to Drupal 9.5.11.

All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: 
ghostccamm
Fixed By: 
Drew Webber of the Drupal Security Team
Peter Wolanin of the Drupal Security Team
Nathaniel Catchpole of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
xjm of the Drupal Security Team
Wim Leers
Benji Fisher of the Drupal Security Team

Read More

Advisories

CVE-2022-3916

Read Time:23 Second

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

Read More

News

Get Yourself AI-powered Scam Protection That Spots and Block Scams in Real Time

Read Time:3 Minute, 56 Second

The tables have turned. Now you can use AI to spot and block scam texts before they do you harm. 

You might have heard how scammers have tapped into the power of AI. It provides them with powerful tools to create convincing-looking scams on a massive scale, which can flood your phone with annoying and malicious texts. 

The good news is that we use AI too. And we have for some time to keep you safe. Now, we’ve put AI to use in another powerful way—to put an end to scam texts on your phone. 

Our new McAfee Scam Protection automatically identifies and alerts you if it detects a dangerous URL in your texts. No more wondering if a package delivery message or bank notification is real or not. Our patented AI technology instantaneously detects malicious links to stop you before you click by sending an alert. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more. 

Stop scam texts and their malicious links.  

The time couldn’t be more right for this kind of protection. Last year, Americans lost $330 million to text scams alone, more than double the previous year, with an average reported loss of $1,000, according to the Federal Trade Commission. The deluge of these new sophisticated AI-generated scams is making it harder than ever to tell what’s real from what’s fake.  

Which is where our use of AI comes in. With it, you can turn the table on scammers and their AI tools.  

Here’s a closer look at how McAfee Scam Protection works: 

Proactive and automatic protection: Get notifications about a scam text before you even open the message. After you grant permission to scan the URLs in your texts, McAfee Scam Protection takes charge and will let you know which texts aren’t safe and shouldn’t be opened. 
Patented and powerful AI: McAfee’s AI runs in real-time and is constantly analyzing and processing millions of malicious links from around the world to provide better detection. This means McAfee Scam Protection can protect you from advanced threats including new zero-day threats that haven’t been seen before. McAfee’s AI continually gets smarter to stay ahead of cybercriminals to protect you even better. 
Simple and easy to use: When you’re set up, McAfee Scam Protection goes to work immediately. No copying or pasting or checking whether a text or email is a scam. We do the work for you and the feature will alert you if it detects a dangerous link and blocks risky sites in real time if you accidentally click.   

How do I get McAfee Scam Protection? 

McAfee Scam Protection is free for most existing customers, and free to try for new customers. 

Most McAfee customers now have McAfee Scam Protection available. Simply update your app. There’s no need to purchase or download anything separately. Set up McAfee Scam Protection in your mobile app, then enable Safe Browsing for extra protection or download our web protection extension for your PC or Mac from the McAfee Protection Center. Some exclusions apply¹. 

For new customers, McAfee Scam Protection is available as part of a free seven-day trial of McAfee Mobile Security. After the trial period, McAfee Mobile Security is $2.99 a month or $29.99 annually for a one-year subscription. 

As part of our new Scam Protection, you can benefit from McAfee’s risky link identification on any platform you use. It can block dangerous links should you accidentally click on one, whether that’s through texts, emails, social media, or a browser. It’s powered by AI as well, and you’ll get it by setting up Safe Browsing on your iOS² or Android device—and by using the WebAdvisor extension on PCs, Macs and iOS. 

Scan the QR code to download McAfee Scam Protection from the Google App store

 Yes, the tables have turned on scammers. 

AI works in your favor. Just as it has for some time now if you’ve used McAfee for your online protection. McAfee Scam Protection takes it to a new level. As scammers use AI to create increasingly sophisticated attacks, McAfee Scam Protection can help you tell what’s real and what’s fake. 

Customers currently with McAfee+, McAfee Total Protection, McAfee LiveSafe, and McAfee Mobile Security plans have McAfee Scam Protection included in their subscription.
Scam text filtering is coming to iOS devices in October.  

The post Get Yourself AI-powered Scam Protection That Spots and Block Scams in Real Time appeared first on McAfee Blog.

Read More