• chevron_right

      Google researchers report critical zero-days in Chrome and all Apple OSes / ArsTechnica · Friday, 1 December - 00:38

    The phrase Zero Day can be spotted on a monochrome computer screen clogged with ones and zeros.

    Enlarge (credit: Getty Images )

    Researchers in Google's Threat Analysis Group have been as busy as ever, with discoveries that have led to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser in the span of 48 hours.

    Apple on Thursday said it was releasing security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. Both of them reside in WebKit, the engine that drives Safari and a wide range of other apps, including Apple Mail, the App Store, and all browsers running on iPhones and iPads. While the update applies to all supported versions of Apple OSes, Thursday’s disclosure suggested in-the-wild attacks exploiting the vulnerabilities targeted earlier versions of iOS.

    “Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple officials wrote of both vulnerabilities, which are tracked as CVE-2023-42916 and CVE-2023-42917.

    Read 4 remaining paragraphs | Comments

    • chevron_right

      ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation / ArsTechnica · Wednesday, 29 November - 00:38 · 1 minute

    Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"

    Enlarge (credit: Getty Images)

    Security researchers are tracking what they say is the “mass exploitation” of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open-source filesharing server app.

    The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said , they began observing “mass exploitation” in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

    Spraying the Internet

    “We're seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of security research & detection engineering at Greynoise, said in an interview on Mastodon. “At the moment, we've seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”

    Read 11 remaining paragraphs | Comments

    • chevron_right

      Breaking Laptop Fingerprint Sensors / Schneier · Tuesday, 28 November - 21:13

    They’re not that good :

    Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we’ve reviewed in the last few years. It’s likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

    Details .

    • chevron_right

      Inconsistencies in the Common Vulnerability Scoring System (CVSS) / Schneier · Friday, 1 September - 21:41 · 1 minute

    Interesting research :

    Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities

    Abstract: The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the ”2022 CWE Top 25 Most Dangerous Software Weaknesses” list. In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings. Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment. Finally, we discuss possible reasons for inconsistent evaluations and provide recommendations on improving the consistency of scoring.

    Here’s a summary of the research.

    • chevron_right

      MOVEit app mass-exploited last month patches new critical vulnerability / ArsTechnica · Friday, 7 July, 2023 - 19:10 · 1 minute

    Stylized photo of desktop computer.

    Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images )

    MOVEit, the file-transfer software exploited in recent weeks in one of the biggest cyberattacks ever , has received yet another security update that fixes a critical vulnerability that could be exploited to give hackers access to vast amounts of sensitive data.

    On Thursday, MOVEit maker Progress Software published a security bulletin that included fixes for three newly discovered vulnerabilities in the file-transfer application. The most serious of them, tracked as CVE-2023-36934, allows an unauthenticated attacker to gain unauthorized access to the application database. It stems from a security flaw that allows for SQL injection, one of the oldest and most common exploit classes.

    The vulnerability contains the same elements—and, likely, the same potentially devastating consequences—as one that came to light in late May when members of the Clop ransomware crime syndicate began mass-exploiting it on vulnerable networks around the world. To date, the Clop offensive has hit 229 organizations and spilled data affecting more than 17 million people, according to statistics tracked by Brett Callow, an analyst with security firm Emsisoft. Casualties include Louisiana and Oregon DMVs , the New York City Department of Education, and energy companies Schneider Electric and Siemens Electric.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking / ArsTechnica · Thursday, 6 July, 2023 - 19:45

    Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking


    The maintainers of the open-source software that powers the Mastodon social network published a security update on Thursday that patches a critical vulnerability making it possible for hackers to backdoor the servers that push content to individual users.

    Mastodon is based on a federated model. The federation comprises thousands of separate servers known as "instances." Individual users create an account with one of the instances, which in turn exchange content to and from users of other instances. To date, Mastodon has more than 24,000 instances and 14.5 million users, according to , a site that tracks statistics related to Mastodon.

    A critical bug tracked as CVE-2023-36460 was one of two vulnerabilities rated as critical that were fixed on Thursday . In all, Mastodon on Thursday patched five vulnerabilities.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      Hackers exploit WordPress plugin flaw that gives full control of millions of sites / ArsTechnica · Friday, 31 March, 2023 - 22:40

    Hackers exploit WordPress plugin flaw that gives full control of millions of sites

    Enlarge (credit: Getty Images)

    Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

    The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

    The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity / ArsTechnica · Wednesday, 29 March, 2023 - 00:24 · 1 minute

    Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

    Enlarge (credit: Getty Images )

    Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

    The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

    In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

    Read 4 remaining paragraphs | Comments