vulnerabilities Archives - Page 33 of 63

Mitre Adds D3FEND Countermeasures to ATT&CK Framework

Issued by: Security Week

The project, called D3FEND, is available through the non-profit Mitre Corporation as a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality. Mitre described D3FEND as an “early stage experimental research project”…

Application Security

Google Intros SLSA Framework to Enforce Supply Chain Integrity

Issued by: Security Week

The U.S. tech giant this week unveiled SLSA (Supply chain Levels for Software Artifacts), a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain. The framework, released as part of the OpenSSF Foundation, is essentially a set of…

Mobile Security

Google Rolls out E2EE For Android Messages App

Issued by: Security Week

Google announced end-to-end encryption is now available in Android, but only for one-on-one conversations between users of the Messages app. “No matter who you’re messaging with, the information you share is personal. End-to-end encryption in Messages helps keep your conversations more secure while sending. It ensures that no one can read the content of your…

Vulnerabilities

GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability

Issued by: Security Week

The flaw, classified as high severity and tracked as CVE-2021-3560, impacts polkit, an authorization service that is present by default in many Linux distributions. The security hole was discovered by Kevin Backhouse of the GitHub Security Lab. On Thursday, the researcher published a blog post detailing his findings, as well as a video showing the…

Vulnerabilities

Google Patches Chrome Zero-Day Used by Commercial Exploit Company

Issued by: Security Week

Ten of the issues were reported by external security researchers: one rated critical severity, seven high severity, and two medium severity. All are patched in Chrome 91.0.4472.101 for Windows, Mac and Linux. The most severe of these is CVE-2021-30544, a critical use-after-free bug that impacts BFCache, a browser optimization meant to enable instant back and…

Vulnerabilities

Intel Releases 29 Advisories to Describe 73 Vulnerabilities Affecting Its Products

Issued by: Security Week

According to Intel, more than half of the bugs were discovered internally and 40% were reported through its bug bounty program. The newly addressed issues represent more than half of the 132 potential vulnerabilities the company patched since the beginning of 2021 — 56 of them in graphics, networking, and Bluetooth components. The most severe…

Malware & Threats

Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning

Issued by: Security Week

Cisco describes Smart Install as a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. Smart Install can be very useful for organizations, but it can also pose a serious security risk. Once a device has been set up through Smart Install, the feature remains enabled and it can be accessed without…

Vulnerabilities

WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes

Issued by: Security Week

The vulnerabilities were found in the WAGO PFC200 programmable logic controller (PLC) and they have been patched by the vendor. One of flaws, tracked as CVE-2021-21001 and rated critical severity, has been described as a path traversal issue related to a CODESYS component used by the device. It allows an authenticated attacker with network access…

Vulnerabilities

CISA Announces Vulnerability Disclosure Policy Platform

Issued by: Security Week

Working in collaboration with bug bounty platform Bugcrowd and government technology contractor Endyna, CISA introduced its VDP platform to help Federal Civilian Executive Branch (FCEB) agencies identify and address vulnerabilities in critical systems. The platform was launched in support of Binding Operational Directive (BOD) 20-01, through which the Department of Homeland Security (DHS) instructed all…

Vulnerabilities

Actively Exploited Zero-Day Found in WordPress Plugin Used by Many Online Stores

Issued by: Security Week

Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices. The plugin provides various other customization options as well. This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in Fancy Product Designer. The…