November 8, 2024 at 08:49AM ZDI reveals vulnerabilities in the infotainment systems of several Mazda car models, potentially allowing unauthorized code execution, which poses security risks for vehicle owners. **Meeting Takeaways:** 1. **Vulnerability Disclosure**: ZDI (Zero Day Initiative) has reported vulnerabilities found in the infotainment systems of several Mazda car models. 2. **Potential Risk**: The … Read more
September 10, 2024 at 10:36AM Becky Bracken, Senior Editor at Dark Reading, hosted a podcast discussing the aftermath of the pen test arrest of cybersecurity professionals, Gary De Mercurio and Justin Wynn. They were arrested during an authorized pen test at a courthouse in Dallas County, Iowa. The incident highlighted the importance of physical penetration … Read more
August 26, 2024 at 04:00AM Two security vulnerabilities in the Traccar GPS tracking system, CVE-2024-24809 and CVE-2024-31214, allow unauthenticated attackers to achieve remote code execution if guest registration is enabled. The issues have been addressed in Traccar 6, released in April 2024, which turns off self-registration by default. Attack methods and system-specific exploitation details are … Read more
August 22, 2024 at 02:00AM A critical security flaw in the LiteSpeed Cache plugin for WordPress (CVE-2024-28000, CVSS score: 9.8) could allow unauthenticated users to gain administrator privileges. It has been patched in version 6.4 released on August 13, 2024. This vulnerability underscores the importance of strong and unpredictable security hashes or nonces in web … Read more
August 20, 2024 at 06:40AM Cybersecurity researchers have identified a security flaw in Microsoft Azure Kubernetes Services, allowing attackers to escalate privileges and access service credentials. The bug affects clusters using “Azure CNI” for network configuration and “Azure” for network policy. Microsoft has addressed the issue. Other high-severity flaws in Kubernetes platforms have been reported, … Read more
August 12, 2024 at 11:54AM Vulnerabilities in Google’s Quick Share utility allowed man-in-the-middle attacks and unauthorized file transfers to Windows devices. SafeBreach discovered 10 vulnerabilities, prompting two CVEs, and detailed their findings at DEF CON 32. The flaws have been addressed, but the utility remains under scrutiny. A scheduled task vulnerability was also exploited. The … Read more
August 12, 2024 at 07:12AM Senators Mark R. Warner and James Lankford introduced the bipartisan Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, aiming to enforce vulnerability disclosure rules for federal contractors. The bill mandates adherence to National Institute of Standards and Technology (NIST) guidelines and requires implementation of formal vulnerability disclosure policies to mitigate … Read more
August 10, 2024 at 01:45AM Microsoft has disclosed an unpatched zero-day in Office (CVE-2024-38200) that could lead to unauthorized disclosure of sensitive information to malicious actors. A patch is expected on August 13, with an alternative fix already enabled. Three mitigation strategies have been outlined. Microsoft is also working on addressing other zero-day flaws in … Read more
August 9, 2024 at 05:12AM NCC Group researchers disclosed vulnerabilities in Sonos smart speakers, including a flaw allowing eavesdropping on users (CVE-2023-50809). Exploiting this through Wi-Fi could allow remote code execution and audio recording. Sonos and MediaTek released patches. Additional flaws in secure boot were discovered. Details are available in NCC Group’s whitepaper and accompanying … Read more
August 7, 2024 at 10:57AM Security researchers disclosed security flaws in Roundcube webmail software that could allow attackers to execute malicious JavaScript, steal sensitive information, and gain persistent foothold in browsers. The three vulnerabilities have been addressed in Roundcube versions 1.6.8 and 1.5.8 released on August 4, 2024. Additionally, a local privilege escalation flaw in … Read more