#SoftwareSecurity

About the security content of visionOS 2.2 – Apple Support

by

December 11, 2024 at 01:33PM Apple Vision Pro’s visionOS 2.2 has multiple vulnerabilities addressed through updates, including permissions issues, memory handling improvements, and enhanced network security. Notable CVEs include CVE-2024-54513, CVE-2024-54486, and CVE-2024-45490, which could lead to data exposure, unexpected app termination, or memory corruption. Update available on December 11, 2024. ### Meeting Takeaways: **Release … Read more

Adobe Patches Over 160 Vulnerabilities Across 16 Products

by

December 10, 2024 at 02:05PM Adobe’s December 2024 Patch Tuesday updates addressed over 160 vulnerabilities across 16 products, notably Adobe Experience Manager and Adobe Animate. The patches include medium to critical severity issues, particularly concerning arbitrary code execution. While no known exploits exist, users are urged to apply the updates promptly for security. ### Meeting … Read more

Lessons From the Largest Software Supply Chain Incidents

by

December 10, 2024 at 09:59AM Marc Andreessen’s phrase “Software is eating the world” remains relevant as software transforms industries and boosts the economy. However, the rapid growth in software development has led to a surge in supply chain attacks, with predictions of increased occurrences. Organizations must prioritize security, vet vendors diligently, and evaluate their entire … Read more

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

by

December 7, 2024 at 06:15AM Two versions of the Python AI library Ultralytics (8.3.41 and 8.3.42) were compromised, delivering a cryptocurrency miner. The affected versions have been removed, and a new one includes a security fix. The attack exploited a GitHub Actions vulnerability, raising concerns about potential future threats like backdoors. **Meeting Takeaways – Dec … Read more

Open Source Security Priorities Get a Reshuffle

by

December 6, 2024 at 10:07AM The latest “Census of Free and Open Source Software” highlights the rising significance of open source components, especially in Python and cloud connectivity. The report emphasizes the need for better funding and maintenance to enhance software security, as reliance on aging, unpaid developers poses sustainability challenges for critical software ecosystems. … Read more

Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

by

December 4, 2024 at 12:45AM Veeam released security updates for a critical vulnerability (CVE-2024-42448) in its Service Provider Console, which allows remote code execution. Another vulnerability (CVE-2024-42449) poses risks of NTLM hash leakage and file deletion. Users must upgrade to version 8.1.0.21999 to mitigate risks as there are no alternative fixes. **Meeting Takeaways – December … Read more

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

by

December 4, 2024 at 12:45AM A critical vulnerability (CVE-2024-10905) in SailPoint’s IdentityIQ software allows unauthorized access to application directory content, with a CVSS score of 10.0. Affected versions include 8.2, 8.3, and 8.4, along with their respective patch levels. No security advisory from SailPoint has been released yet. **Meeting Takeaways – December 4, 2024** 1. … Read more

Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers

by

November 27, 2024 at 11:30AM A critical security flaw (CVE-2024-11680) in the ProjectSend application, linked to improper authorization, has been actively exploited since September 2024. Despite a patch released in August 2024, only 1% of servers are updated. Users are urged to apply the latest patches to mitigate risks. CVSS score: 9.8. ### Meeting Takeaways … Read more

News Desk 2024: Can GenAI Write Secure Code?

by

November 27, 2024 at 08:16AM Generative AI is rapidly learning to code, mirroring human development but also inheriting flaws from open-source models. Chris Wysopal highlights the challenge of increasing code volume leading to more vulnerabilities. He proposes using AI to identify and fix these issues, emphasizing ongoing work on specialized language models for enhanced security. … Read more

Google’s AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

by

November 21, 2024 at 03:13AM Google’s AI-powered fuzzing tool, OSS-Fuzz, has uncovered 26 vulnerabilities, including a medium-severity flaw in OpenSSL (CVE-2024-9143), indicating significant advancements in automated vulnerability detection. The tool enhances code coverage and is part of Google’s transition to memory-safe languages like Rust, alongside new security checks in C++. **Meeting Takeaways – Nov 21, … Read more