November 10, 2024 at 11:48PM AI models are increasingly used for discovering software vulnerabilities, potentially increasing the number of disclosures initially but leading to reduced flaws over time. Recent experiments show promising results, though challenges remain in integrating these tools into development processes and addressing companies’ prioritization of efficiency over security. ### Meeting Takeaways 1. … Read more
November 4, 2024 at 06:21AM Google identified a zero-day vulnerability in SQLite using its AI framework, Big Sleep. This marks the first real-world vulnerability discovered by an AI agent. The flaw, a stack buffer underflow, has been addressed. Google emphasizes the potential of AI in finding vulnerabilities pre-release, but notes results are still experimental. ### … Read more
September 25, 2024 at 01:18PM Google’s shift to memory-safe languages like Rust has reduced memory-safe vulnerabilities in Android from 76% to 24% in six years. Prioritizing secure coding for new features makes codebases safer and cost-effective. The decrease in vulnerabilities is due to the decay of new code’s vulnerabilities and advancements in vulnerability combat. Google … Read more
September 13, 2024 at 09:33AM Summary: SecurityWeek’s cybersecurity news roundup compiles noteworthy stories each week, including an Adobe Reader zero-day vulnerability, .mobi TLD TLS undermining, Scattered Spider ransomware targeting the insurance and financial sectors, macOS HZ RAT malware, WhatsApp View Once feature bypass, dismantling of card-cloning gangs, Google’s actions against influence operations, Windows MSI installer … Read more
September 12, 2024 at 05:49AM Trend Micro researchers discovered remote code execution attacks on WhatsUp Gold leveraging the Active Monitor PowerShell Script since August 30. Exploiting vulnerabilities CVE-2024-6670 and CVE-2024-6671, the attacks persisted despite available patches, emphasizing the need for prompt patch application and proactive monitoring to prevent similar incidents. Mitigation steps include access control, … Read more
June 24, 2024 at 11:24AM Google has unveiled Project Naptime, a framework allowing AI to conduct vulnerability research, mimicking human security researchers. It comprises tools like Code Browser, Python tool, Debugger, and Reporter. Naptime is model-agnostic and better at flagging security flaws, achieving higher scores than OpenAI GPT-4 Turbo in vulnerability tests. It enables LLM … Read more
May 31, 2024 at 09:36AM SecurityWeek compiles important cybersecurity news, highlighting impactful stories. Recent articles cover threats like abusing BitLocker for ransomware, critical data exposure in India, AI-as-a-service vulnerability, and surveillance using Wi-Fi-based positioning systems. Additionally, a memorandum of understanding aims to boost electric sector cybersecurity, while cyberspying targets political entities in multiple regions. Based … Read more
May 23, 2024 at 10:08AM A critical vulnerability in the Replicate AI platform allowed attackers to execute a malicious AI model for a cross-tenant attack, potentially compromising private AI models and sensitive data. Researchers at Wiz emphasize the difficulty of tenant separation in AI-as-a-service solutions and recommend new forms of mitigation to prevent future exploitation. … Read more
May 3, 2024 at 10:29AM SecurityWeek offers a weekly roundup of cybersecurity news, highlighting significant developments from the latest vulnerability discoveries to industry reports. This week’s stories cover a former NSA employee’s prison sentence, a fundraising by Bricklayer AI, Chinese keyboard app vulnerabilities, NVIDIA and USPS phishing campaigns, a Los Angeles County data breach, and … Read more
April 19, 2024 at 05:47AM A security researcher at SafeBreach, Or Yair, outlined vulnerabilities associated with the DOS-to-NT path conversion process in Windows, dubbed “MagicDot,” during a Black Hat Asia 2024 session. The issues enable attackers to conceal and impersonate files, directories, and processes, leading to potentially dangerous post-exploitation capabilities. Yair detailed four related vulnerabilities, … Read more