It was discovered that Indent incorrectly handled parsing certain source
files. If a user or automated system were tricked into processing a
specially crafted source file, a remote attacker could use this issue to
cause Indent to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Daily Archives: September 20, 2023
On the Cybersecurity Jobs Shortage
In April, Cybersecurity Ventures reported on extreme cybersecurity job shortage:
Global cybersecurity job vacancies grew by 350 percent, from one million openings in 2013 to 3.5 million in 2021, according to Cybersecurity Ventures. The number of unfilled jobs leveled off in 2022, and remains at 3.5 million in 2023, with more than 750,000 of those positions in the U.S. Industry efforts to source new talent and tackle burnout continues, but we predict that the disparity between demand and supply will remain through at least 2025.
The numbers never made sense to me, and Ben Rothke has dug in and explained the reality:
…there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp.
[…]
Most entry-level roles tend to be quite specific, focused on one part of the profession, and are not generalist roles. For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems. They are not looking for someone interested in security.
In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.
That makes a lot more sense, and matches what I experience.
CVE-2022-45447
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f� parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.
thunderbird-102.15.1-1.fc38
FEDORA-2023-a7aba7e1b0
Packages in this update:
thunderbird-102.15.1-1.fc38
Update description:
Update to 102.15.1 ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/ ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/ ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-37/ ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ ;
https://www.thunderbird.net/en-US/thunderbird/102.15.0/releasenotes/
thunderbird-102.15.1-1.fc37
FEDORA-2023-6b5635d7d3
Packages in this update:
thunderbird-102.15.1-1.fc37
Update description:
Update to 102.15.1 ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/ ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/ ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-37/ ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ ;
https://www.thunderbird.net/en-US/thunderbird/102.15.0/releasenotes/
International Criminal Court Reveals Security Breach
Finnish Authorities Shutter Dark Web Drugs Marketplace
What a mess! Clorox warns of “material impact” to its financial results following cyberattack
Clorox, the household cleaning product manufacturer, has admitted that its financial results for the first quarter could see a “material impact” after hackers attacked its systems.
Read more in my article on the Hot for Security blog.
Brits Lose $9.3bn to Scams in a Year
CVE-2020-24089
An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).