Read Time:7 Second
The Top 10 Malware in Q1 2024 changed slightly from the previous quarter. Here’s what the CIS Cyber Threat Intelligence team observed.
Daily Archives: May 2, 2024
USN-6762-1: GNU C Library vulnerabilities
Read Time:1 Minute, 2 Second
It was discovered that GNU C Library incorrectly handled netgroup requests.
An attacker could possibly use this issue to cause a crash or execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9984)
It was discovered that GNU C Library might allow context-dependent
attackers to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-20109)
It was discovered that GNU C Library when processing very long pathname arguments to
the realpath function, could encounter an integer overflow on 32-bit
architectures, leading to a stack-based buffer overflow and, potentially,
arbitrary code execution. This issue only affected Ubuntu 14.04 LTS.
(CVE-2018-11236)
It was discovered that the GNU C library getcwd function incorrectly
handled buffers. An attacker could use this issue to cause the GNU C
Library to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-3999)
Charles Fol discovered that the GNU C Library iconv feature incorrectly
handled certain input sequences. An attacker could use this issue to cause
the GNU C Library to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2024-2961)
Three-Quarters of CISOs Admit App Security Incidents
Read Time:6 Second
Dynatrace research claims global CISOs are concerned AI is driving advanced app security threats and poor developer practices
Security Breach Exposes Dropbox Sign Users
Read Time:3 Second
Attackers accessed emails, usernames, phone numbers, hashed passwords and authentication information
The UK Bans Default Passwords
Read Time:51 Second
The UK is the first country to ban default passwords on IoT devices.
On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.
The UK may be the first country, but as far as I know, California is the first jurisdiction. It banned default passwords in 2018, the law taking effect in 2020.
This sort of thing benefits all of us everywhere. IoT manufacturers aren’t making two devices, one for California and one for the rest of the US. And they’re not going to make one for the UK and another for the rest of Europe, either. They’ll remove the default passwords and sell those devices everywhere.
Another news article.
REvil Ransomware Affiliate Sentenced to Over 13 Years in Prison
Read Time:9 Second
A US court has sentenced a Ukrainian national to 13 years and seven months in prison for his role in over 2500 ransomware attacks using the REvil strain
US and UK Warn of Disruptive Russian OT Attacks
Read Time:6 Second
The US and its allies claim Russian hacktivists are disruptive operations in water, energy, food and agriculture sectors
chromium-124.0.6367.118-1.fc40
Read Time:25 Second
FEDORA-2024-5cf9499b62
Packages in this update:
chromium-124.0.6367.118-1.fc40
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
update to 124.0.6367.78
* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn
chromium-124.0.6367.118-1.fc38
Read Time:15 Second
FEDORA-2024-191c252b75
Packages in this update:
chromium-124.0.6367.118-1.fc38
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
chromium-124.0.6367.118-1.el9
Read Time:1 Minute, 14 Second
FEDORA-EPEL-2024-808f3961ef
Packages in this update:
chromium-124.0.6367.118-1.el9
Update description:
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
update to 124.0.6367.78
* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn
update to 124.0.6367.60
High CVE-2024-3832: Object corruption in V8
High CVE-2024-3833: Object corruption in WebAssembly
High CVE-2024-3914: Use after free in V8
High CVE-2024-3834: Use after free in Downloads
Medium CVE-2024-3837: Use after free in QUIC
Medium CVE-2024-3838: Inappropriate implementation in Autofill
Medium CVE-2024-3839: Out of bounds read in Fonts
Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation
Medium CVE-2024-3841: Insufficient data validation in Browser Switcher
Medium CVE-2024-3843: Insufficient data validation in Downloads
Low CVE-2024-3844: Inappropriate implementation in Extensions
Low CVE-2024-3845: Inappropriate implementation in Network
Low CVE-2024-3846: Inappropriate implementation in Prompts
Low CVE-2024-3847: Insufficient policy enforcement in WebUI
update to 123.0.6312.122
High CVE-2024-3157: Out of bounds write in Compositing
High CVE-2024-3516: Heap buffer overflow in ANGLE
High CVE-2024-3515: Use after free in Dawn