Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for The history of Flash ...

 Business

Lets pretend were back in, say, 2008. Youve just bought a new computer with Windows XP on it, hooked it up to the internet, opened the browser, navigated to your favorite website and found that half of it doesnt display. Try installing Adobe Flash, a friend who knows all about computers advises over the phone. The   show more ...

origins of Flash date back to the early 1990s: it was a tool to create simple vector-based animations compact enough to be downloaded even over a slow internet connection via a modem. By the late 2000s, Adobe Flash Player — still an animation tool at heart — was pretty much indispensable. Without it, literally half of all websites didnt work. At the same time, cybercriminals began to utilize the dozens upon dozens of vulnerabilities found in the player. Largely because of this, since 2010, Flash has had many ardent critics, and even Adobe itself recognized that the internet needs to develop along different lines. Nevertheless, Flashs funeral was drawn out for almost 10 years — and even then it wasnt properly buried. It all makes for one of the most interesting episodes in the history of online information security. Lets delve into the details Computers go tablet The history of Flash begins in 1992–93, when several firms released tablet computers all at once. Thats right, like the iPad — only 13 years earlier. Heres what the IBM ThinkPad 700T, a rare breed, looked like, for example: ThinkPad 700T tablet computer. Source Such devices used Penpoint OS developed by GO Corporation. This first attempt to make a portable tablet computer, however, crashed and burned. As early as 1994, Go Corporation was sold to AT&T Corporation, which promptly ceased its production. However, several independent applications were written for Penpoint OS. One of them was the graphics editor SmartSketch, developed by Futurewave Software. Alas, the release of Smartsketch coincided with the demise of Penpoint OS. Futurewave first adapted the editor for Microsoft Windows and Mac OS, then added the ability to create animated graphics while renaming the product FutureSplash Animator. In 1996, Futurewave Software was acquired by Macromedia, and its product was rebranded Macromedia Flash. It consisted of two components: a program for creating animations, and a compact Macromedia Flash Player utility for playing them on users computers. Importantly, both SmartSketch and early Macromedia Flash used what are known as vector graphics. The JPEG photos and images that were all used to use raster graphics, whereby each individual pixel has a color value — and there can be thousands or even millions of them. Vector graphics dont store pixel information; theyre a recipe for recreating an image from primitives or geometric shapes: lines, squares, circles, etc. Vector files tend to be more compact than raster ones: instead of describing each pixel in an image of a circle on a white background, we store a single instruction: Draw a circle with a radius of X pixels on a white background. Back in the heady 1990s, people generally went online through modems. Such connections were tediously slow, with a data transfer rate of 5–6 kilobytes per second at best. Any raster image of minimum decent quality took at least a few seconds (or even minutes) to load. As a result many users simply turned off images in the browser settings. Using vector graphics, however, Macromedia Flash was able to deliver colorful animated images that loaded in no time at all. One other important point before we continue: when speaking of Flash, were essentially talking about the code that gets downloaded to a computer every time a user opens a site with Flash content. This is no ordinary executable file, but a set of instructions run by Macromedia Flash Player on the PC. Still, the principle is the same (in theory, however, there was nothing to prevent making an executable file containing both the content and the player). It didnt take long for Flash to start picking up additional functionality: besides graphics, along came sound and special effects, and later even video transmission. Online additives The author of this post first came across Macromedia Flash in 2001 when watching Masyanya, Russias answer to Beavis and Butt-Head. That fall, every Monday morning, I downloaded and watched a new episode of the online cartoon, lasting one to two minutes. The creator of Masyanya, Oleg Kuvaev, made the animated videos with Macromedia Flash and uploaded them to his website specifically as executable files, with Flash Player and the animation itself embedded inside. This approach essentially preempted YouTube. Masyanya perfectly illustrates the compactness of the format: the sixth episode of the series (called Modem) was only 600 kilobytes in size — including the playback software, dont forget. The same episode in video format of the most basic quality weighs three times as much, and thats without a player. Macromedia Flash technology significantly expanded the capabilities of internet browsers in those days, which themselves did not differ in terms of content displayed: text and images, period. So it was a logical development to create a plug-in for playing Flash content directly in the browser, eliminating the need to download and run things separately. That is, Flash objects were still code executed on your computer — the only difference being that, after installation of the plug-in, these programs ran as the web content loaded, without any additional action from the user. Developer tools also expanded: by the end of the 1990s it was no longer about simple animation. Flash now made it possible to implement user-interactive menu items, and there was support for a scripting language allowing you to create increasingly complex constructions inside a Flash object. To visualize this, lets show the evolution of website capabilities. Heres the very first web page, from 1990: The first ever web page. Only text and hyperlinks. Source Heres a typical website from 1996: The Yahoo! portal in the fall of 1996. Still text and links, plus a few graphic elements. Source And heres a website with Flash elements from 2000: The Sony PlayStation website in 2000. A riot of color, but most elements are done in plain HTML. The central, animated element contains photos, animations and videos. Source Web designers back then had different priorities: some strove for maximum compatibility, others sacrificed compatibility for the sake of graphics. In the former case 1996 — even if a site had Flash elements — it was still usable without them. In the second, a site needed Flash; without it it wouldnt work. Like this Nike Air minisite: First, it looks good. The whole interface of the 2006 Nike Air website was built using Flash. It didnt open without the right plug-in. Source Macromedia Flash seriously expanded the boundaries of what was possible in website design. It untied developers hands regarding the placement of animated elements, the use of sound and video, and eye-catching effects when moving between pages?. In 2006, Macromedia was bought by Adobe Corporation. Soon, Flash was being used to create entire games that ran right in the browser — an unprecedented step in the mid-2000s. Meanwhile, mobile devices were developing rapidly. Flash Player alternatives were being developed for them as well, making content available across multiple platforms. 2005 saw the launch of YouTube. It, too, used Flash Player to deliver videos. A negative consequence was that advertisers got overly carried away creating garish banners based on Macromedia/Adobe Flash. Since these were still programs executed on the users computer, they sometimes put a heavy load on the system, seriously slowing down other programs. In some browsers and plug-ins for them, the option appeared to disable Flash by default. As it quickly transpired, however, banners were the least of the many problems awaiting the Flash-dominated computing world. Giant security hole Reconstructing the timeline of vulnerability detection in Adobe Flash Player is quite difficult, since the program dates back to the dawn of the modern web. In the early 2000s, it was not yet common practice to notify users and customers of vulnerabilities. In the archive of Adobe bulletins and advisories, which includes Macromedia-era data, the first entry about a Flash Player vulnerability appears in 2002. MITREs CVE database lists more than 1100 vulnerabilities related to Adobe Flash Player. The first arbitrary code execution (ACE) vulnerabilities in this database also date back to 2002. An attacker could send an Adobe Flash file to the victim, which, when played, runed malicious code. Some of these vulnerabilities had a maximum CVSS score of 10.0 (according to unverified sources, there were more than 800 ACE vulnerabilities in all Flash Player versions). Such vulnerabilities were easy to exploit, it often required little or no action from the user. Suffice it to lure the victim to a website with a malicious Adobe Flash object embedded in it. Some attacks compromised ad distribution systems, causing malicious content to suddenly appear on websites visited by millions of users. Not for nothing have we been stressing that Flash objects are essentially programs that get delivered to the users machine and executed there. A consequence of the wide-ranging capabilities of the technology was the emergence of countless loopholes through which attackers could gain complete control over a computer. Already by 2005, Flash was the most popular technology for running web applications. Not a problem, we think in 2022. Just deliver an update to all users. But automatic Flash Player updates appeared only toward the end of the technologys life — they simply didnt exist in the 2000s. Back then, you had to go to the Adobe website, download the new version, and manually install it. Some users werent even aware they had a version of Flash Player that needed updating. The 2006 vulnerability was also flagged (along with three others) in a Microsoft bulletin, because Adobe code could be distributed with Windows XP. Microsoft itself handled updates for it, and its process for delivering and installing patches was likewise less than ideal. Just how bad the update delivery situation was is evident from a Kaspersky report from 2012. That year, Adobe Flash Player was already the leader by number of vulnerabilities found on users computers. By then, a system was in place to notify Flash Player users of available updates, as well as to track how quickly they were installed. With each discovered security hole, the share of vulnerable users grew and grew (peaking at 60% in 2012!), before declining with each new patch. The update distribution process, at least for most users, took from three weeks to two months — eons by todays standards. It was worst of all for users of very old versions, who didnt even receive update reminders; throughout 2012 their share was about 10%. Lets take a look at another Kaspersky report, this time from 2015. It lists 13 new vulnerabilities in Flash Player, which were known to be used (along with others that were old but still live) in so-called exploit packs — kits containing multiple exploits for attacking vulnerabilities in software on users computers one by one until a breakthrough is made. Most of the actual attacks on users were carried out through the browser (62%), with the most common cause, according to Kaspersky experts, being a Flash vulnerability. Flash was eventually toppled as the main source of threats by another popular plug-in technology, Java, which was used, for example, in early online banking systems. Ten-year funeral By the mid-2010s, Adobe Flash was already seen as obsolete. Perhaps the first high-profile statement against Flash was the open letter Thoughts on Flash by Apple founder and CEO Steve Jobs. After going through permanent crises in the nineties, by 2010 Apple was sitting pretty: in 2007 the first iPhone was released, followed in 2010 by the first iPad, which, unlike the 1993 tablets, was successful. The iPhone initially lacked many of the features found in other smartphones. In particular, it didnt support Flash, and so couldnt display sites that used the technology. In the late 2000s, this was a serious argument in favor of Nokias Symbian smartphones and early Android devices, which did have Flash support. Steve Jobs cited security as one of the main reasons why Apple mobile devices would never run Flash. In addition, Apple couldnt accept having no control over how Flash operated on its devices. All its life, Flash (except for certain elements) has been a proprietary solution — unlike open standards such as HTML5 or Javascript. If Apple had allowed and Adobe had implemented Flash support, games, videos and web elements on the smartphone would have slowed down or crashed. And the phone manufacturer would have been blamed! There were other arguments, too. In contrast to desktop computers, code for smartphones must be as streamlined as possible so as not to eat up the battery. Streamlining Flash, which didnt even support GPU acceleration back then, was as good as impossible. Even if Adobe had made a great version of the Flash Player, the performance of Flash applications would have depended on the individual developers — of which there were many thousands. And the control-freak Apple wasnt able to countenance this. Other tech companies, too, didnt want to depend on a competitors proprietary software. The normal way that market players interact is though collaboration on an open standard. But that still required everyone to accept this standard! And this wasnt easy. Some tried to replicate the success of Flash and create their own proprietary format. In particular, Microsoft decided in 2007 to develop its own improved Flash called Silverlight, but — fortunately — it didnt catch on. In 2015, Wired magazine published an article tellingly titled Flash. Must. Die. It describes the attempts of various industry players to deal with the one big vulnerability that goes by the name of Adobe Flash Player. That same year, the developers of the Firefox browser disabled the plug-in for playing Flash content by default. Chrome stated it would disable unimportant Flash content on websites (read: video banners that seriously strain the system). Alex Stamos, then chief security officer of Facebook, suggested setting a final date by which to pull support for this legacy technology. Facebook itself at that moment was still using Flash to play videos. The open standard HTML5 was indeed in position to replace Flash as the universal tool for building content-heavy interactive websites. But getting rid of such a huge legacy overnight was simply impossible. Ad networks depended on Flash — as did users of old computers with old browsers and developers of sites with a large content library. Only in July 2017 did Adobe announce it was ceasing development and ending support for Flash, but with a generous transitional period of three years. Almost immediately, all popular browsers began to run Flash content only when requested by the user. Finally, on January 12, 2021 — 25 years after the release of Macromedia Flash Player 1.0 and 13 years after the discovery of the first supercritical vulnerability in the software — user-side support for Flash was discontinued. After today, modern browsers no longer play Flash content even if you want it and have Flash Player installed, and the latest version even blocks it from running. The Flash end-of-life pop-up that appeared at the end of 2020. Source However, the Flash era isnt over yet. Forty days after Flash was pulled, we published a review of the then-current situation regarding the technology. Some corporate applications, it turned out, were still tied to it and no longer being updated. In particular, the technology is still widely used in China. Some companies unwilling or unable to part with Flash are even ready to create custom browsers that support it. We can only hope they know what theyre doing. At the very least, dont use such browsers on computers without a high-quality security solution. Flash is also of interest to web archivists: with the passing of the technology, much of the creative output of tens of thousands of people has become inaccessible. No ones fault — almost Its entirely understandable why Adobe was so slow to announce the end of life of Adobe Flash. Support for the technology on the vast majority of consumer PCs meant high sales of content development tools. Starting 2013, the company was able to adapt this part of the technology for the modern world: the still-active Adobe AIR lets you develop applications for Windows, Mac OS, Android and iOS. Its essentially the direct successor to Adobe Flash, supporting both the companys proprietary technologies and open-source technologies such as HTML5. Thats not to say that Adobe developed Flash in a particularly poor way. The technology was cursed by its own popularity, and also by the development principles of the 1990s. Adobe Flash Player had full access to the computers resources, and any major coding error had equally major consequences. A prime example was the bug in the player that allowed any site to access the users webcam. Dealing with such a legacy — old code insecure by design — is no simple task. Fixing is also tricky: any optimization or security technology jeopardizes compatibility with millions of Flash applications on thousands of websites. Not that Adobe didnt try. After the discovery of the first 10.0 vulnerability in 2008, Adobe patched dozens of critical vulnerabilities in Flash Player every year up until 2011. But it seems that adapting Flash to the evolving ideas about internet security was a bridge too far. Todays browsers dont require any plug-ins at all to display almost any online content. This means that the browser developer alone is responsible for the users safe browsing, and no one else. Everything downloaded from the web is now considered unsafe by definition, so browser makers go to great lengths to isolate websites from each other and from other programs on the device — be it a computer, smartphone or tablet. Theyre clearly doing a good job, but, alas, cybercriminals are also improving their tools. In Google Chrome in 2022 alone, six zero-day vulnerabilities have been discovered that have already been used in attacks. Sure, thats fewer than the 15 Adobe Flash Player vulnerabilities exploited by cybercriminals in 2015, but the difference isnt huge. Lets end on a positive note: Adobe Flash played a major role in shaping the web as we now know it. It transformed websites from a dull collection of text-based pages into something, well, flashier. Flash helped realize the dream of a virtual universe, as envisioned by 1990s sci-fi books and movies. For some, website design in the 2000s was too gaudy, too brassy, too in-your-face. Over the following decade, the general style of sites and applications mellowed, while the internet itself became an indispensable part of modern life. Adobe Flash was instrumental throughout this period — the so-called romantic age of the internet. It may have been rough around the edges, prone to spilling your data through a careless click, but it will always remains an essential part of the early history of the web.

image for Battle with Bots Pro ...

 A Little Sunshine

On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in   show more ...

the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users. Jay Pinho is a developer who is working on a product that tracks company data, including hiring. Pinho has been using LinkedIn to monitor daily employee headcounts at several dozen large organizations, and last week he noticed that two of them had far fewer people claiming to work for them than they did just 24 hours previously. Pinho’s screenshot below shows the daily count of employees as displayed on Amazon’s LinkedIn homepage. Pinho said his scraper shows that the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop: The number of LinkedIn profiles claiming current positions at Amazon fell 33 percent overnight. Image: twitter.com/jaypinho As stated above, the number of LinkedIn profiles that claimed to work at Apple fell by approximately 50 percent on Oct. 10, according to Pinho’s analysis: Image: twitter.com/jaypinho Neither Amazon or Apple responded to requests for comment. LinkedIn declined to answer questions about the account purges, saying only that the company is constantly working to keep the platform free of fake accounts. In June, LinkedIn acknowledged it was seeing a rise in fraudulent activity happening on the platform. KrebsOnSecurity hired Menlo Park, Calif.-based SignalHire to check Pinho’s numbers. SignalHire keeps track of active and former profiles on LinkedIn, and during the Oct 9-11 timeframe SignalHire said it saw somewhat smaller but still unprecedented drops in active profiles tied to Amazon and Apple. “The drop in the percentage of 7-10 percent [of all profiles], as it happened [during] this time, is not something that happened before,” SignalHire’s Anastacia Brown told KrebsOnSecurity. Brown said the normal daily variation in profile numbers for these companies is plus or minus one percent. “That’s definitely the first huge drop that happened throughout the time we’ve collected the profiles,” she said. In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees. A day after that second story ran, KrebsOnSecurity heard from a recruiter who noticed the number of LinkedIn profiles that claimed virtually any role in network security had dropped seven percent overnight. LinkedIn declined to comment about that earlier account purge, saying only that, “We’re constantly working at taking down fake accounts.” A “swarm” of LinkedIn AI-generated bot accounts flagged by a LinkedIn group administrator recently. It’s unclear whether LinkedIn is responsible for this latest account purge, or if individually affected companies are starting to take action on their own. The timing, however, argues for the former, as the account purges for Apple and Amazon employees tracked by Pinho appeared to happen within the same 24 hour period. It’s also unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms. On this point, Pinho said he noticed an account purge in early September that targeted fake profiles tied to jobs at cryptocurrency exchange Binance. Up until Sept. 3, there were 7,846 profiles claiming current executive roles at Binance. The next day, that number stood at 6,102, a 23 percent drop (by some accounts that 6,102 head count is still wildly inflated). Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out. In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams. Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, suggested another explanation for the recent glut of phony LinkedIn profiles: Someone may be setting up a mass network of accounts in order to more fully scrape profile information from the entire platform. “Even with just a standard LinkedIn account, there’s a pretty good amount of profile information just in the default two-hop networks,” Weaver said. “We don’t know the purpose of these bots, but we know creating bots isn’t free and creating hundreds of thousands of bots would require a lot of resources.” In response to last week’s story about the explosion of phony accounts on LinkedIn, the company said it was exploring new ways to protect members, such as expanding email domain verification. Under such a scheme, LinkedIn users would be able to publicly attest that their profile is accurate by verifying that they can respond to email at the domain associated with their current employer. LinkedIn claims that its security systems detect and block approximately 96 percent of fake accounts. And despite the recent purges, LinkedIn may be telling the truth, Weaver said. “There’s no way you can test for that,” he said. “Because technically, it may be that there were actually 100 million bots trying to sign up at LinkedIn as employees at Amazon.” Weaver said the apparent mass account purge at LinkedIn underscores the size of the bot problem, and could present a “real and material change” for LinkedIn. “It may mean the statistics they’ve been reporting about usage and active accounts are off by quite a bit,” Weaver said.

 Breaches and Incidents

A .git folder contains essential information about projects, such as remote repository addresses, commit history logs, and other essential metadata. Leaving this data in open access can lead to breaches and system exposure.

 Malware and Vulnerabilities

Researchers discovered an advanced phishing site that mimics the legitimate Convertio website known for spreading the Redline stealer malware strain. The malware was delivered via a fake file converter phishing website for Convertio. It is an easy online tool that converts files into a variety of file formats, including spreadsheets, documents, archives, images, eBooks, audio, and video.

 Malware and Vulnerabilities

Palo Alto Network’s Unit 42 established links between the relatively new Ransom Cartel ransomware operation with the REvil ransomware gang. The malicious code used by the two groups had multiple similarities. In their campaigns, both relied on initial access brokers to acquire access to compromise networks and   show more ...

deploy ransomware. Moreover, the encryptors used by the gangs reflect similarities in the structure of the configuration.

 Breaches and Incidents

According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner.

 Breaches and Incidents

Fraudsters somehow got hold of the last four digits of those people's credit card numbers – perhaps by exploiting some part of Verizon's online services – and used that information to gain control of their accounts.

 Laws, Policy, Regulations

The investigations that led to the arrest are a result of Operation Dark Cloud, launched in August and aiming to collect information on the activity of a criminal organization behind multiple cyberattacks targeting Brazilian government agencies.

 Malware and Vulnerabilities

Two of the vulnerabilities – tracked as CVE-2022-3386 and CVE-2022-3385, with severity scores of 9.8 out of 10 – involve stack-based buffer overflow flaws in version 2.4.17 and earlier of the R-SeeNet software, according to the agency.

 Malware and Vulnerabilities

Operation CuckooBees campaign is back in action. After being dormant for around three months, researchers have found that the attackers are using Spyder Loader malware to infect organizations in Hong Kong. The malware is capable of collecting information about corrupted devices, executing malicious payloads, coordinating script execution, and C2 server communication.

 Identity Theft, Fraud, Scams

The scam the FBI is warning about involves cybercriminals and fraudsters purporting to provide entrance to the Federal Student Loan Forgiveness program. Fraudsters could contact potential victims via phone, email, text, websites, or chat services.

 Security Products & Services

The NCSC said it would improve the quality of information shared across the threat intelligence community more generally and reduce the volume of inaccurate or irrelevant information sent to partners.

 Breaches and Incidents

The gang has Russian-speaking members that have been operating since at least March 2020 using self-made malware, focusing on Russian companies in the logistics, industry, insurance, retail, real estate, software development, and banking sectors.

 Strategy and Planning

The cybersecurity team also includes representatives from the Ministry of Communications and Information, the Ministry of Defence, the Ministry of Home Affairs, the Monetary Authority of Singapore and the country's armed forces and police force.

 Laws, Policy, Regulations

In their attacks, Eric Meiggs and Declan Harrington targeted individuals who likely owned significant amounts of crypto assets in Coinbase or Block.io wallets or potential victims who controlled high-value Instagram and Tumblr accounts.

 Feed

This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an   show more ...

arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.

 Feed

Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.

 Feed

There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.

 Feed

Red Hat Security Advisory 2022-7005-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

 Feed

Red Hat Security Advisory 2022-7003-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

 Feed

Red Hat Security Advisory 2022-7008-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-7006-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

 Feed

Red Hat Security Advisory 2022-7009-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-7002-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

 Feed

Red Hat Security Advisory 2022-7056-01 - Red Hat Gluster Storage is a software-only scale-out storage solution that provides flexible and affordable unstructured data storage. It unifies data storage and infrastructure, increases performance, and improves availability and manageability to meet enterprise-level storage challenges. Issues addressed include an information leakage vulnerability.

 Feed

Red Hat Security Advisory 2022-7011-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-7004-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

 Feed

Red Hat Security Advisory 2022-7010-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-7012-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-7058-01 - OpenShift sandboxed containers support for OpenShift Container Platform provides users with built-in support for running Kata containers as an additional, optional runtime. This advisory contains an update for OpenShift sandboxed containers with security fixes and a bug fix.   show more ...

Space precludes documenting all of the updates to OpenShift sandboxed containers in this advisory. Issues addressed include a null pointer vulnerability.

 Feed

Red Hat Security Advisory 2022-7001-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-7000-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

 Feed

Ubuntu Security Notice 5692-1 - David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Soenke Huster   show more ...

discovered that an integer overflow vulnerability existed in the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5691-1 - David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Soenke Huster   show more ...

discovered that an integer overflow vulnerability existed in the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5693-1 - David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou   show more ...

discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2022-7044-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

 Feed

Red Hat Security Advisory 2022-6905-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.50. Issues addressed include a code execution vulnerability.

 Feed

Compliance activities are often viewed as frustrating but necessary. That's an understandable view as teams often have to apply a set standard to existing systems and figure out how to collect enough evidence to answer an audit.

 Feed

The Federal Police of Brazil on Wednesday announced it had arrested an individual for purported links to the notorious LAPSUS$ extortionist gang. The arrest was made as part of a new law enforcement effort, dubbed Operation Dark Cloud, that was launched in August 2022, the agency noted. Not much is known about the suspect other than the fact that the person could be a teenager. The Polícia

 Feed

As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud. The Clicker malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them,

 Feed

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor

 Feed

The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall. "Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books," ESET researcher Lukas Stefanko said 

 Feed

When creating a Sandbox, the mindset tends to be that the Sandbox is considered a place to play around, test things, and there will be no effect on the production or operational system. Therefore, people don't actively think they need to worry about its security. This mindset is not only wrong, but extremely dangerous.  When it comes to software developers, their version of sandbox is similar to

 Feed

Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain. "GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai

 Feed

A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. "The group's victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB said in an exhaustive report

 Apple

Someone's election-fiddling is uncovered with an Apple AirTag, a cyber scandal rocks Germany, and a swindler steals a fortune due to trains being delayed. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley   show more ...

and Carole Theriault, joined this week by runZero's Chris Kirsch. Plus don't miss our featured interview with Akamai's Patrick Sullivan talking about bots in the retail sector.

2022-10
Aggregator history
Thursday, October 20
SAT
SUN
MON
TUE
WED
THU
FRI
OctoberNovemberDecember