USN-6586-1: FreeImage vulnerabilities

Read Time:1 Minute, 1 Second

It was discovered that FreeImage incorrectly handled certain memory
operations. If a user were tricked into opening a crafted TIFF file, a
remote attacker could use this issue to cause a heap buffer overflow,
resulting in a denial of service attack. This issue only affected Ubuntu
16.04 LTS and Ubuntu 20.04 LTS. (CVE-2019-12211)

It was discovered that FreeImage incorrectly processed images under
certain circumstances. If a user were tricked into opening a crafted TIFF
file, a remote attacker could possibly use this issue to cause a stack
exhaustion condition, resulting in a denial of service attack. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. (CVE-2019-12213)

It was discovered that FreeImage incorrectly processed certain images.
If a user or automated system were tricked into opening a specially
crafted image file, a remote attacker could possibly use this issue to
cause a denial of service or execute arbitrary code. (CVE-2020-21427,
CVE-2020-21428)

It was discovered that FreeImage incorrectly processed certain images.
If a user or automated system were tricked into opening a specially
crafted PFM file, an attacker could possibly use this issue to cause a
denial of service. (CVE-2020-22524)

Read More

USN-6579-2: Xerces-C++ vulnerability

Read Time:28 Second

USN-6579-1 fixed a vulnerability in Xerces-C++. This update provides the
corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04
and Ubuntu 23.10.

Original advisory details:

It was discovered that Xerces-C++ was not properly handling memory
management operations when parsing XML data containing external DTDs,
which could trigger a use-after-free error. If a user or automated system
were tricked into processing a specially crafted XML document, an attacker
could possibly use this issue to cause a denial of service or execute
arbitrary code.

Read More

Unusual, thought-provoking predictions for cybersecurity in 2024

Read Time:3 Minute, 43 Second

This is part one of a three-part series written by AT&T Cybersecurity evangelist Theresa Lanowitz. It’s intended to be future-looking and provocative and to encourage discussion. The author wants to assure you that no generative AI was used in any part of this blog.

Entering 2024 brings us well into the third decade of the new millennium.

Do you recall how tentatively and maybe naively we approached the year 2000, otherwise known as Y2K? We stressed over two bytes in COBOL programs and regression tested every line of code to ensure our systems were ready to go at midnight on January 1, 2000. The clock struck 12, and the world breathed a collective sigh of relief – we survived the predicted digital disaster.

And just like that, off we went – to create web, mobile, and cloud apps, to turn embedded software into the Internet of Things (IoT), and to democratize computing in a way that was only a dream just 23 years ago.

With massive shifts and changes in computing in the wake, it’s time to ask: where are we going in 2024, and what cybersecurity opportunities and challenges lie ahead?

Maturing the industry: It’s the business that matters.

Cybersecurity is not about fear, uncertainty, and doubt (FUD). It is about delivering business outcomes such as boarding a plane quicker to mitigate flight delay penalties, heating or cooling my house efficiently to manage energy consumption in various climates, or reducing waste in manufacturing to minimize product recalls.

Notice there was no mention of security, data, network, coding, or anything remotely IT-centric or technical in the stated business outcomes above. We must aspire to this when thinking about our businesses and cybersecurity. It must be about the business first, advancing the customer experience, and removing friction.

Cybersecurity is now a business requirement. For cybersecurity to be part of business planning, cybersecurity teams need to become members of the business teams.

Over the past three years, the cybersecurity market has rapidly matured. We are in the midst of market consolidation, with individual point products being acquired and integrated into platform offerings. These platform offerings will continue to evolve by acquiring smaller vendors, partnering, and innovating.

The platform vendors clearly see the need for cybersecurity to be a part of the business conversation and want to act as a business partner and trusted advisor, not merely a product provider.

Cybersecurity budgets are changing, creating an approach to get funding differently.

This year, our research revealed an unexpected change: money is being redistributed as computing moves closer to the data source. Our respondents reported they are investing in new computing development – in this case, edge computing – in a way that’s different from what we’ve seen in the past. They are proactively investing in strategy and planning, the network, application development, and security to create a balanced, collaborative ecosystem.

The big surprise isn’t a new secret weapon or killer application. The surprise is what’s needed: a new way of thinking about resource allocation. You’ll still need your usual hardware, software, storage, and security buckets. How you balance those expenses is what’s different.

As computing moves closer to the data source, every deployment should contribute to the bottom line. By working closely with your business partners, I believe business leaders will be able to identify how to cost-justify use cases that include investments by IT.

Cybersecurity-as-a-service (CSaaS) will help organizations do more with less.

In 2024, expect the continued maturation of the cybersecurity business, and platform vendors embrace the idea of delivering on cybersecurity-as-a-service. The tooling companies of yesterday want to be today’s business partners. There is far more value in the relationship of being a business partner vs. being a provider of a technology solution that becomes commodified. Platforms are critical to a business, while tools are tactical to help at a given time.

Watch for traditional cybersecurity product vendors to enter the consulting or managed security services market. These platform vendors will offer specific and targeted services with other closely aligned vendors. Platform vendors will form alliances with startups that offer new technology to complement the platform. Organizations of all sizes and types are seeking an extension of their cybersecurity teams, and services from a trusted vendor are the next step.

Stay tuned for part 2: Cybersecurity operations in 2024: The SOC of the future, tomorrow!

Read More