Dark Reading

JULY 14, 2023

A bug in Zimbra email servers is already being exploited in the wild, Google TAG researchers warn.

87

87

Krebs on Security

JUNE 8, 2021

Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks. Among the zero-days are: – CVE-2021-33742 , a remote code execution bug in a Windows HTML component.

Security 288

Security Ransomware Phishing Cloud 288

Security Affairs

JULY 27, 2023

It was developed by Zimbra, Inc The vulnerability is reflected Cross-Site Scripting (XSS) that was discovered by Clément Lecigne of Google Threat Analysis Group (TAG). Google TAG researchers focus on identifying and countering advanced and persistent threats. Zimbra this week released version ZCS 10.0.2

Risk 93

Risk Security IT Information Security 93

Threatpost

AUGUST 5, 2019

Buffer overflows, race conditions, use-after-free and more account for more than half of all vulnerabilities in the Android platform.

Security 57

Security 57

Krebs on Security

AUGUST 9, 2022

This latest MSDT bug — CVE-2022-34713 — is a remote code execution flaw that requires convincing a target to open a booby-trapped file, such as an Office document. Microsoft this month also issued a different patch for another MSDT flaw, tagged as CVE-2022-35743.

Authentication 230

Authentication Access IT Security 230

Security Affairs

MARCH 29, 2023

Google’s Threat Analysis Group (TAG) discovered several exploit chains targeting Android, iOS, and Chrome to install commercial spyware. Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. links sent over SMS to users.

Archiving 94

Archiving Access Risk Security 94

Krebs on Security

DECEMBER 14, 2022

The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell , and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.

Ransomware 185

Ransomware Authentication Security Access 185

Security Affairs

JULY 30, 2023

The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day flaws exploited in-the-wild [ 2021 , 2020 , 2019 ], it is built off of the mid-year 2022 review. ” reads the report published by Google TAG. Google's 2022 Year in Review of in-the-wild 0-days is out!

IT 93

IT Security Information Security 93

Security Affairs

DECEMBER 20, 2023

.” The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. ” continues the advisory.

Libraries 121

Libraries Access IT Information Security 121

Security Affairs

APRIL 2, 2024

The Unauthenticated Stored Cross-Site Scripting vulnerability was reported to Wordfence by the WordPress developer Webbernaut as part of the company Bug Bounty Extravaganza. Then the attacker can modify the raw request to contain an X-Forwarded-For header set to a malicious payload enclosed in script tags.

Access 126

Access IT Information Security Security 126

Security Affairs

APRIL 13, 2022

The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes. Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution – similar to S2-059.” ” reads the advisory published by Apache.

Cybersecurity 137

Cybersecurity Security IT Information Security 137

Security Affairs

APRIL 1, 2023

CISA has added nine flaws to its Known Exploited Vulnerabilities catalog, including bugs exploited by commercial spyware on mobile devices. Google TAG shared indicators of compromise (IoCs) for both campaigns. The experts pointed out that both campaigns were limited and highly targeted.

Cybersecurity 89

Cybersecurity Education Risk Security 89

Security Affairs

SEPTEMBER 15, 2019

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network. The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

Privacy 85

Privacy Security IT Information Security 85

Security Affairs

JUNE 7, 2023

June 2023 security update for Android released by Google fixes about fifty flaws, including an Arm Mali GPU bug exploited by surveillance firms in their spyware. In March, Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome.

Security 93

Security Cybersecurity Access IT 93

Security Affairs

FEBRUARY 25, 2024

Iran Crisis Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign U.S.

Military 103

Military Security Ransomware Insurance 103

Security Affairs

JUNE 6, 2019

Bug 30565 : Sync nocertdb with privatebrowsing.autostart at startup Bug 30464 : Add WebGL to safer descriptions Translations update Update NoScript to 10.6.2 Bug 29969 : Remove workaround for Mozilla’s bug 1532530 Update HTTPS Everywhere to 2019.5.13 Bwloe the full changelog since Tor Browser 8.5:

Security 90

Security IT Information Security Privacy 90

Security Affairs

JANUARY 11, 2023

US CISA added Microsoft Exchange elevation of privileges bug CVE-2022-41080 to its Known Exploited Vulnerabilities Catalog. The post US CISA adds MS Exchange bug CVE-2022-41080 to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs. Follow me on Twitter: @securityaffairs and Facebook and Mastodon.

IT 97

IT Ransomware Cloud Cybersecurity 97

Security Affairs

APRIL 3, 2022

Sophos Firewall affected by a critical authentication bypass flaw Mar 20- Mar 26 Ukraine – Russia the silent cyber conflict Security Affairs newsletter Round 358 by Pierluigi Paganini Western Digital addressed a critical bug in My Cloud OS 5 CISA adds 66 new flaws to the Known Exploited Vulnerabilities Catalog. And how to prevent it?

Security 88

Security Authentication Ransomware Cloud 88

Security Affairs

APRIL 9, 2024

“V8 vulnerabilities are rarely “classic” memory corruption bugs (use-after-frees, out-of-bounds accesses, etc.) Almost every Chrome exploits observed in the wild between 2021 and 2023 triggered a memory corruption issue in a Chrome renderer process that was exploited for remote code execution (RCE).

Access 120

Access IT Security Information Security 120

Security Affairs

JANUARY 18, 2021

While conducting reconnaissance and fingerprinting the experts found three Apple hosts running a content management system (CMS) backed by Lucee , which is a dynamic, Java-based, tag and scripting language used for rapid web application development. ” reads the post published by the bug bounty hackers. Pierluigi Paganini.

IT 102

IT CMS Authentication Access 102

Security Affairs

SEPTEMBER 25, 2021

The vulnerability is a use after free in Portals, it was reported by Clément Lecigne from Google TAG, who worked with Sergei Glazunov and Mark Brand from Google Project Zero. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”We

Libraries 97

Libraries IT Access Security 97

Security Affairs

NOVEMBER 28, 2021

North Korea-linked APT group posed as Samsung recruiters is a spear-phishing campaign that targeted South Korean security companies that sell anti-malware solutions, Google TAG researchers reported. Google TAG researchers reported that the same group, tracked as Zinc ,” also targeted security researchers in past campaigns.

Security 131

Security Phishing Information Security Communications 131

Security Affairs

OCTOBER 1, 2021

The CVE-2021-37976 is an Information leak that resides in the core, it was reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21. ” states the update provided by Google. ” states the update provided by Google.

Security 89

Security Government IT Information Security 89

Security Affairs

APRIL 28, 2020

A bug in the Real-Time Find and Replace WordPress plugin could allow hackers to hackers to create rogue admin accounts on over 100,000 sites. “An attacker could use this vulnerability to replace a HTML tag like with malicious Javascript. ” continues the report. Other attacks recently observed are: Jan. Pierluigi Paganini.

GDPR 127

GDPR Authentication IT Access 127

Krebs on Security

DECEMBER 11, 2018

At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.

Security 158

Security IT 158

Security Affairs

NOVEMBER 18, 2019

Even if AMP4Email implements a strong validator that only allows a list of tags and attributes in dynamic mails, it doesn’t implement a validation system to prevent cross-site scripting (XSS) attacks. Google in their bug bounty program, don’t actually expect bypassing CSP and pay a full bounty anyway.

Security 95

Security IT Access Information Security 95

Security Affairs

JANUARY 12, 2021

While partnering with the Google Threat Analysis Group (TAG), the experts discovered a watering hole attack in Q1 2020 that was carried out by a highly sophisticated actor. The Google Project Zero team has recently launched an initiative aimed at devising new techniques to detect 0-day exploits employed in attacks in the wild.

Security 115

Security Access IT Information Security 115

Krebs on Security

DECEMBER 4, 2019

13, KrebsOnSecurity contacted Apple to report this as a possible privacy bug in the new iPhone Pro and/or in iOS 13.x, Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

Privacy 195

Privacy Encryption IT Security 195

eSecurity Planet

MARCH 16, 2023

. “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft explained.

Energy and Utilities 87

Energy and Utilities Authentication Ransomware Military 87

ForAllSecure

MARCH 16, 2023

with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v4.1.1 Once complete, you’ll need to modify any corresponding Mayhem.yml file to use your specific tagged release and test your changes.

Security 52

Security Metadata Passwords IT 52

Security Affairs

JANUARY 21, 2024

million cryptojacking scheme arrested in Ukraine Cybercrime Cryptojacker arrested in Ukraine over EUR 1.8

Security 105

Security e-Discovery Artificial Intelligence Ransomware 105

Security Affairs

JULY 15, 2023

Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise The source code of the BlackLotus UEFI Bootkit was leaked on GitHub US CISA warns of Rockwell Automation ControlLogix flaws Indexing Over 15 Million WordPress Websites with PWNPress New AVrecon botnet remained under the radar for two (..)

Security 96

Security Data breaches Government Analytics 96

ForAllSecure

JANUARY 28, 2021

This software contained a code execution bug discovered by ForAllSecure Mayhem, an advanced fuzz testing solution. One thing is for sure, this code is likely used in both government and private code bases and this particular bug has been lying unknown (hopefully!) Finding the bug. Finding the bug.

Libraries 52

Libraries Data structuring Government IT 52

ForAllSecure

JANUARY 28, 2021

This software contained a code execution bug discovered by ForAllSecure Mayhem, an advanced fuzz testing solution. One thing is for sure, this code is likely used in both government and private code bases and this particular bug has been lying unknown (hopefully!) Finding the bug. Finding the bug.

Libraries 52

Libraries Data structuring Government IT 52

Security Affairs

APRIL 23, 2023

Abandoned Eval PHP WordPress plugin abused to backdoor websites CISA adds MinIO, PaperCut, and Chrome bugs to its Known Exploited Vulnerabilities catalog At least 2 critical infrastructure orgs breached by North Korea-linked hackers behind 3CX attack American Bar Association (ABA) suffered a data breach,1.4

Security 82

Security Ransomware Data breaches Cybersecurity 82

eSecurity Planet

OCTOBER 9, 2023

Researchers from Google’s Threat Analysis Group (TAG) and Project Zero uncovered the weakness, which is connected to unauthorized access to freed memory, possibly allowing attackers to corrupt or change sensitive data. It’s a use-after-free memory bug that might allow attackers to access or change sensitive data locally.

Libraries 89

Libraries Ransomware Access Security 89

Information Management Resources

JUNE 25, 2019

The company’s disclosure in September that hackers exploited several software bugs to obtain login access to accounts was tagged as Facebook’s worst security breach ever.

Data breaches 32

Data breaches Access Security 32