Read Time:5 Second
Stealc is a fully featured stealer, whose development relied on Vidar, Raccoon, Mars and Redline
Yearly Archives: 2023
USN-5881-1: Chromium vulnerabilities
Read Time:1 Minute, 3 Second
It was discovered that Chromium did not properly manage memory. A remote
attacker could possibly use these issues to cause a denial of service or
execute arbitrary code via a crafted HTML page. (CVE-2023-0471,
CVE-2023-0472, CVE-2023-0473, CVE-2023-0696, CVE-2023-0698, CVE-2023-0699,
CVE-2023-0702, CVE-2023-0705)
It was discovered that Chromium did not properly manage memory. A remote
attacker who convinced a user to install a malicious extension could
possibly use this issue to corrupt memory via a Chrome web app.
(CVE-2023-0474)
It was discovered that Chromium contained an inappropriate implementation
in the Download component. A remote attacker could possibly use this issue
to spoof contents of the Omnibox (URL bar) via a crafted HTML page.
(CVE-2023-0700)
It was discovered that Chromium did not properly manage memory. A remote
attacker who convinced a user to engage in specific UI interactions could
possibly use these issues to cause a denial of service or execute
arbitrary code. (CVE-2023-0701, CVE-2023-0703)
It was discovered that Chromium insufficiently enforced policies. A remote
attacker could possibly use this issue to bypass same origin policy and
proxy settings via a crafted HTML page. (CVE-2023-0704)
CVE-2015-10084
Read Time:20 Second
A vulnerability was found in irontec klear-library chloe and classified as critical. Affected by this issue is the function _prepareWhere of the file Controller/Rest/BaseController.php. The manipulation leads to sql injection. Upgrading to version marla is able to address this issue. The name of the patch is b25262de52fdaffde2a4434fc2a84408b304fbc5. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221504.
CVE-2015-10083
Read Time:24 Second
A vulnerability has been found in harrystech Dynosaur-Rails and classified as critical. Affected by this vulnerability is the function basic_auth of the file app/controllers/application_controller.rb. The manipulation leads to improper authentication. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The name of the patch is 04b223813f0e336aab50bff140d0f5889c31dbec. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221503.
gssntlmssp-1.2.0-1.el7
Read Time:12 Second
FEDORA-EPEL-2023-acd256a168
Packages in this update:
gssntlmssp-1.2.0-1.el7
Update description:
Patches several CVEs reported by GitHub Security Lab
CVE-2023-25563
CVE-2023-25564
CVE-2023-25565
CVE-2023-25566
CVE-2023-25567
The Insecurity of Photo Cropping
Read Time:52 Second
The Intercept has a long article on the insecurity of photo cropping:
One of the hazards lies in the fact that, for some of the programs, downstream crop reversals are possible for viewers or readers of the document, not just the file’s creators or editors. Official instruction manuals, help pages, and promotional materials may mention that cropping is reversible, but this documentation at times fails to note that these operations are reversible by any viewers of a given image or document.
[…]
Uncropped versions of images can be preserved not just in Office apps, but also in a file’s own metadata. A photograph taken with a modern digital camera contains all types of metadata. Many image files record text-based metadata such as the camera make and model or the GPS coordinates at which the image was captured. Some photos also include binary data such as a thumbnail version of the original photo that may persist in the file’s metadata even after the photo has been edited in an image editor.
City Fund Managers Jailed for $8m Fraud
Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023
Read Time:37 Second
Despite the billions of dollars poured annually into cybersecurity by investors, organizations, academia, and government, adequate and reliable cybersecurity remains an ever-elusive goal. The technological complexity and growing attack surface, along with a growing array of threat actors and increased interconnectivity, make securing digital systems and assets a perennial pipedream.
Chief among the challenges for decision-makers and experts is simply identifying and comprehending society’s cybersecurity risks. One organization, the Washington, DC-based think tank Bipartisan Policy Center, has convened a working group of experts from industry, government, and civil society to “identify the nation’s top cybersecurity risks to raise awareness so policymakers and businesses can take pragmatic action and invest in countermeasures.”
DNA Diagnostic Center fined $400,000 for 2021 data breach
Read Time:28 Second
DNA Diagnostics Center, a DNA testing company, will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general.
The company will also be required to implement improvements to its data security, including updating the asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.