#securityupdate

GitHub rotates keys to mitigate impact of credential-exposing flaw

by

January 16, 2024 at 05:23PM GitHub resolved vulnerabilities enabling attackers to access credentials in production containers by patching CVE-2024-0200. The update applies to GitHub Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. While potential exploitation requires an organization owner role, GitHub rotated exposed credentials and urges swift security update installation. Additionally, a command injection vulnerability … Read more

Google fixes first actively exploited Chrome zero-day of 2024

by

January 16, 2024 at 02:14PM Google has released security updates to address the first Chrome zero-day vulnerability (CVE-2024-0519) exploited since the beginning of the year. This high-severity flaw in the Chrome V8 JavaScript engine allows attackers to access sensitive data, trigger crashes, and potentially execute arbitrary code. Google also fixed two other vulnerabilities (CVE-2024-0517 and … Read more

GitLab Releases Updates to Address Critical Vulnerabilities

by

January 12, 2024 at 05:43PM GitLab releases versions 16.7.2, 16.6.3, and 16.5.6 to address critical vulnerabilities. These include an authentication issue allowing unverified email password resets and a vulnerability enabling slash command abuse in Slack/Mattermost. Other vulnerabilities affect code approval, workspace creation, and signed commit metadata. GitLab urges upgrading and enabling two-factor authentication. Based on … Read more

GitLab warns of critical zero-click account hijacking vulnerability

by

January 12, 2024 at 02:47PM GitLab has released security updates to address critical vulnerabilities in its Community and Enterprise Edition, including an authentication flaw (CVE-2023-7028) allowing account hijacking and a vulnerability (CVE-2023-5356) enabling the abuse of Slack/Mattermost integrations. The flaws were addressed in GitLab versions 16.7.2, 16.5.6, and 16.6.4, with backported fixes available. For official … Read more

About the security content of Magic Keyboard Firmware Update 2.0.6 – Apple Support

by

January 11, 2024 at 09:07AM A session management issue (CVE-2024-0230) impacting Bluetooth accessories was addressed with improved checks. The update, released on January 9, 2024, mitigates the risk of attackers extracting Bluetooth pairing keys and monitoring traffic. Affected products include various Magic Keyboards, with an available update to address the issue. Based on the meeting … Read more

New year, new bugs in Windows, Adobe, Android, more to be fixed

by

January 9, 2024 at 05:35PM Microsoft’s recent Patch Tuesday brought 49 Windows security updates and four high-severity Chrome flaws for Edge. Although there’s no active exploitation, two critical CVEs are listed as “exploitation more likely.” Adobe and SAP also released patches for their products, while Google’s Android Security Bulletin addressed 59 CVEs. No prior exploits … Read more

Adobe Patches Code Execution Flaws in Substance 3D Stager

by

January 9, 2024 at 12:54PM Adobe released patches for six security vulnerabilities in Substance 3D Stager, warning of potential code execution attacks. The ‘important-severity’ issues affect macOS and Windows users and could lead to memory leaks and arbitrary code execution. Adobe recommends immediate updates to version 2.1.4 to mitigate these risks, with no known in-the-wild … Read more

Steam drops support for Windows 7 and 8.1 to boost security

by

January 2, 2024 at 03:46PM Steam officially stopped supporting Windows 7, 8, and 8.1 on January 1, with users urged to upgrade to a newer Windows OS. Microsoft’s extended support for Windows 7 ended in 2023. Windows 10 will reach end of support in 2025, making Windows 11 a better option. Steam warns unsupported versions … Read more

Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape

by

December 20, 2023 at 10:21AM Mozilla announced security updates for Firefox 121 and Thunderbird 115.6 addressing 21 vulnerabilities, including high-severity issues like WebGL heap buffer overflow, NSS NIST curves vulnerability to Minerva attack, and uninitialized data exposure in EncryptingOutputStream. Both updates also include patches for several memory safety issues. The release notes contain further details. … Read more

SSH shaken, not stirred by Terrapin vulnerability

by

December 20, 2023 at 03:44AM The SSH protocol vulnerability, dubbed the Terrapin Attack, can be exploited in man-in-the-middle attacks to weaken SSH security. By injecting messages during the handshake and blocking certain messages, attackers can downgrade security, potentially compromising user credentials. Mitigations include software updates and disabling vulnerable encryption modes. Details were disclosed by computer … Read more