Bugs in open-source libraries impact 70% of modern software

Security Affairs

70 percent of mobile and desktop applications that today we use are affected at least by one security flaw that is present in open-source libraries. The experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.

Malware attack took down 600 computers at Volusia County Public Library

Security Affairs

System supporting libraries in Volusia County were hit by a cyber attack, the incident took down 600 computers at Volusia County Public Library (VCPL) branches. ” As a result of the incident, the computers at the library were not able to surf the web.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Malicious npm library removed from the repository due to backdoor capabilities

Security Affairs

The npm security team has removed a malicious JavaScript library named “ twilio-npm ” from its repository because contained malicious code. The tainted JavaScript library was spotted by the researcher Ax Sharma from security firm Sonatype.

Google Researcher Details Windows Cryptographic Library Bug

Data Breach Today

Flaw Could Cause Denial-of-Service Event in Windows Fleet, Researcher Claims A Google security researcher has disclosed what he calls an unpatched bug in the main cryptographic library used in newer versions of the Windows operating system that he claims could affect an entire fleet of Windows-based devices

Drupal fixed a new flaw related PEAR Archive_Tar library

Security Affairs

Drupal development team released security updates to address a vulnerability that resides in the PEAR Archive_Tar third-party library. The Drupal development team has released security updates to address the CVE-2020-36193 vulnerability in the PEAR Archive_Tar third-party library.

Cisco Talos discovered 2 critical flaws in the popular OpenCV library

Security Affairs

Maintainers of the OpenCV library addressed two buffer overflow flaws that could lead to arbitrary code execution. Maintainers of the OpenCV library addressed two high-severity buffer overflow vulnerabilities that could be exploited by an attacker to execute arbitrary code.

jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites

Security Affairs

The popular jQuery JavaScript library is affected by a rare prototype pollution vulnerability that could allow attackers to modify a JavaScript object’s prototype. The impact of the issue could be severe considering that the jQuery JavaScript library is currently used on 74 percent of websites online, most sites still use the 1.x versions of the library that are affected by the ‘Prototype Pollution’ vulnerability. SecurityAffairs – hacking, jQuery JavaScript library ).

Back-to-School Scams Target Students with Library-Themed Emails

Threatpost

Web Security back to school credential harvesting education cyberattack fake login pages library portals malware MediaGet torrent application downloader Phishing scam Scams student students university portals Win32.Agent.ifdx malware downloader WinLNK.Agent.gen downloaderStudents should keep their eyes peeled for phishing emails purporting to be from their colleges, as well as online student resources laced with malware, researchers warn.

Magecart Returns with Advertising Library Tactic

Threatpost

Malware Web Security adverline Advertising Card skimming group 12 Library magecart third party javascriptThe threat group also has a new subsidiary, Magecart Group 12.

Public Libraries as part of the HM Government ?roadmap? for COVID-19 Recovery

CILIP

Public Libraries as part of the HM Government ?roadmap? CILIP welcomes the recognition of libraries as essential services and library staff as ?key s pandemic response, demonstrating the vital role public libraries have to play in our national recovery. COVID-secure?

Feminist leadership, libraries and Covid-19

CILIP

Feminist leadership, libraries and Covid-19. s Library which was established in 1991 and now has more than 20 paid staff ? s was Roly Keating, Chief Executive of the British Library. s Library were sown.? s Library (GWL) and having been involved in a range of women?s

Two malicious Python libraries were stealing SSH and GPG keys

Security Affairs

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were stealing SSH and GPG keys from the projects of infected developers. The expert discovered the two libraries on December 1, by the German software developer Lukas Martini.

A backdoor mechanism found in tens of Ruby libraries

Security Affairs

Maintainers of the RubyGems package repository have removed 18 malicious versions of 11 Ruby libraries that contained a backdoor. Maintainers of the RubyGems package repository have discovered a backdoor mechanism in 18 malicious versions of 11 Ruby libraries. The backdoor was used by attackers to inject mining code in Ruby projects using the malicious versions of the libraries. The post A backdoor mechanism found in tens of Ruby libraries appeared first on Security Affairs.

Six-Library Vulnerability in NGA

ForAllSecure

The US government has published a software library called six-library designed to parse and manipulate satellite imagery and data for both internal and public use. Reach out to us here , and one of our security experts would be happy to help you navigate the issue.

Six-Library Vulnerability in NGA

ForAllSecure

The US government has published a software library called six-library designed to parse and manipulate satellite imagery and data for both internal and public use. Reach out to us here , and one of our security experts would be happy to help you navigate the issue.

Backdoor mechanism found in Ruby strong_password library

Security Affairs

The developer Tute Costa found a backdoor in the Ruby library during regular security audits before deploying his code in the production environment. The developer Tute Costa found a backdoor in the Ruby library during regular security audits. The dangerous code was used to check the password strength of user-chosen passwords when the library was being used in a production environment. The attacker created a new version of the library (version 0.0.7

Facebook Launches Fizz Library for Dev Speed, Security

Dark Reading

New open source TLS library aims to help developers incorporate speed and security into apps and services

Prototype Pollution flaw discovered in all versions of Lodash Library

Security Affairs

Liran Tal, a developer advocate at open-source security platform Snyk, discovered a high-severity prototype pollution security flaw that affects all versions of lodash. Lodash is a JavaScript library which provides utility functions for common programming tasks using the functional programming paradigm. The flaw could be exploited by hackers to compromise the security of affected services using the library. “The popular npm library is used by 4.35

Shh! No Hacking the Census in the Library

WIRED Threat Level

Opinion: Millions of folks filling out the 2020 Census on public library computers also are putting themselves at risk. Security Opinion Security / Cyberattacks and Hacks

SUPERNOVA, a Backdoor Found While Investigating SolarWinds Hack

Security Affairs

While investigating the recent SolarWinds Orion supply-chain attack security researchers discovered another backdoor, tracked SUPERNOVA. The post SUPERNOVA, a backdoor found while investigating SolarWinds hack appeared first on Security Affairs.

A flaw in the Libarchive library impacts major Linux distros

Security Affairs

Google experts found a flaw, tracked as CVE-2019-18408, in the compression library libarchive could lead to arbitrary code execution. Google experts found a vulnerability, tracked as CVE-2019-18408, in the compression library libarchive could be exploited to execute arbitrary code. . The libarchive library is a multi-format archive and compression library that implements a single interface for reading/writing various compression formats.

The Big Issue and Library Champion Bobby Seagull bring the case for library funding to Parliament

CILIP

The Big Issue and Library Champion Bobby Seagull bring the case for library funding to Parliament. At a Parliamentary event at the House of Lords today, The Big Issue and Library Champion Bobby Seagull will join forces with CILIP, the UK library association, to make the case for long-term sustainable funding for libraries. 250m investment in the Culture Investment Fund, of which 50% is to be allocated to library and museum sector development.

Designing Libraries: Making space for makerspaces

CILIP

Recently I heard a librarian say that introducing makerspaces into libraries was one of the riskiest undertakings the service had ever embarked upon. I found this a little odd, since we are all in the information business and a lot of library time is taken up with answering ?how s library buildings are a mixture of ancient and modern. We increasingly share premises with other services, so sensitivity is always required when we adapt library spaces for new purposes ?

CVE-2020-7247 RCE flaw in OpenSMTPD library affects many BSD and Linux distros

Security Affairs

Security researchers have spotted a vulnerability, tracked as CVE-2020-7247, that affects a core email-related library used by many BSD and Linux distributions. Security experts from Qualys have discovered a flaw, tracked as CVE-2020-7247, in OpenSMTPD. The CVE-2020-7247 flaw was introduced in the OpenSMTPD in May 2018, but many distros still use older implementation of the library that are not impacted.

Closure JavaScript Library introduced XSS issue in Google Search and potentially other services

Security Affairs

A change made months ago in an open-source JavaScript library introduced a cross-site scripting (XSS) vulnerability in Google Search. The Japanese security researcher Masato Kinugawa discovered an XSS vulnerability in Google Search that was introduced with a change made months ago in an open-source JavaScript library. The library is named Closure and according to the expert it fails to properly sanitize user input.

Discover a world of reading this Libraries Week

CILIP

Discover a world of reading this Libraries Week. This Libraries Week (5-10 October 2020) libraries across the UK will showcase their reading offer as we celebrate the vital role of libraries in the UK?s ExpressYourShelf this Libraries Week by taking part in CILIP?s

Apache Struts users have to update FileUpload library to fix years-old flaws

Security Affairs

Apache Struts Users have to update the Commons FileUpload library in Struts 2 that is affected by two vulnerabilities. Apache Struts developers have addressed two vulnerabilities in the Commons FileUpload library in Struts 2, the flaws can be exploited for remote code execution and denial-of-service (DoS) attacks. ” stated Tenable in the security advisory. of the library, while users have to manually update applications using Struts 2.3.36

Google expert disclosed details of an unpatched flaw in SymCrypt library

Security Affairs

Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system. The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt , a core cryptographic function library currently used by Windows. The post Google expert disclosed details of an unpatched flaw in SymCrypt library appeared first on Security Affairs.

Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D

Threatpost

The flaws exist in Autodesk's FBX library, integrated in Microsoft's Office, Office 365 ProPlus and Paint 3D applications.

Uncovering Vulnerabilities In Open Source Libraries (CVE-2019-13499)

ForAllSecure

In this post, we will follow up on a prior article on using Mayhem to analyze stb and MATIO by reviewing three additional vulnerabilities found in another open source library. Understanding the downstream users of a library can help prioritize fuzzing efforts. Introduction.

Uncovering Vulnerabilities In Open Source Libraries (CVE-2019-13499)

ForAllSecure

In this post, we will follow up on a prior article on using Mayhem to analyze stb and MATIO by reviewing three additional vulnerabilities found in another open source library. Understanding the downstream users of a library can help prioritize fuzzing efforts. Introduction.

UNCOVERING VULNERABILITIES IN OPEN SOURCE LIBRARIES

ForAllSecure

In this post, we will follow up on a prior article on using Mayhem to analyze stb and MATIO by reviewing three additional vulnerabilities found in another open source library. Understanding the downstream users of a library can help prioritize fuzzing efforts. Introduction.

Library-Themed University Phishing Attack Expands to Massive Scale

Threatpost

Breach Web Security cobalt dickens CTU expansion phishing campaign Proofpoint silent librarian student credentials universitiesCobalt Dickens (a.k.a. Silent Librarian) is now actively targeting 380 universities, bent on stealing credentials and moving deeper into school networks.

Google Play Apps Remain Vulnerable to High-Severity Flaw

Threatpost

Patches for a flaw (CVE-2020-8913) in the Google Play Core Library have not been implemented by several popular Google Play apps, including Cisco Teams and Edge.

Time to end a decade of library austerity

CILIP

Time to end a decade of library austerity. CILIP and Library Champion Bobby Seagull delivered a petition to Downing Street last Thursday calling for an end to a decade of public library austerity and demanding secure revenue funding for public libraries in the Chancellor?s

Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

Threatpost

The two important-severity flaws in Microsoft Windows Codecs Library and Visual Studio Code could enable remote code execution.

Silent Librarian Goes Back to School with Global Research-Stealing Effort

Threatpost

Breach Hacks Web Security colleges Credential Theft Credentials global Irán Iranian hackers library portals Malwarebytes Phishing Research Sanctions silent librarian stealing universitiesThe Iranian hacker group is targeting universities in 12 countries.

Uncovering Vulnerabilities In Cryptographic Libraries: Mayhem, MatrixSSL, And WolfSSL (CVE-2019-13470)

ForAllSecure

As part of a recent initiative at ForAllSecure to analyze more open source software with Mayhem, a next-generation fuzzing solution, we decided to investigate some cryptographic libraries. Why Crypto Libraries? Why look at crypto libraries? Development Speed or Code Security.

Uncovering Vulnerabilities In Cryptographic Libraries: Mayhem, MatrixSSL, And WolfSSL (CVE-2019-13470)

ForAllSecure

As part of a recent initiative at ForAllSecure to analyze more open source software with Mayhem, a next-generation fuzzing solution, we decided to investigate some cryptographic libraries. Why Crypto Libraries? Why look at crypto libraries? Introduction.

UNCOVERING VULNERABILITIES IN CRYPTOGRAPHIC LIBRARIES: MAYHEM, MATRIXSSL, AND WOLFSSL

ForAllSecure

As part of a recent initiative at ForAllSecure to analyze more open source software with Mayhem, a next-generation fuzzing solution, we decided to investigate some cryptographic libraries. Why Crypto Libraries? Why look at crypto libraries? Introduction.