When it comes to security vulnerabilities, they don’t get any worse than the one recently disclosed in the Log4j utility which was awarded the maximum CVSS severity of 10. This is not some theoretical risk, it is an open door to affected systems. The NCSC calls it: ‘potentially the most severe computer vulnerability in years.’Read more
Blog
Mozilla has published a security advisory warning of a critical security vulnerability in the Network Security Services libraries which are widely used by open-source software. While the bug does not impact Mozilla Firefox, it is thought to affect many other email clients and PDF viewers that use the electronic signature verification features of the NetworkRead more
Long considered a theoretical attack, HTTP request smuggling is now ‘soaring in popularity’ according to a new research paper published this month. What is HTTP request smuggling and what risk does it pose to your network? HTTP Request Smuggling (HRS) was first documented back in 2005. It is made possible by the way different webRead more
Blacksmith is a new kind of Rowhammer attack that has been proved to successfully bypass existing Rowhammer protections in modern DDR4 memory chips – allowing researchers to extract security secrets and change memory contents on victim computers. What is Rowhammer? Modern computer memory chips are physically very dense – with billions of memory cells (eachRead more
Modern software development makes extensive use of open-source libraries that save development time and money. However, 79% of developers fail to keep those libraries up to date leaving their code vulnerable to newly discovered flaws and vulnerabilities. A new report from testing firm Veracode reveals some worrying trends that Security Managers should discuss with theirRead more
Recent high-profile security incidents, such as the compromises at SolarWinds and CodeCov and the vulnerabilities in Microsoft Exchange Server, have drawn attention to the risks posed by the software we invite into the heart of our networks and often trust implicitly. The processes and procedures for identifying and mitigating the risks posed by these third-partyRead more
Web browsers are adding more TCP ports to their block lists in an attempt to prevent exploitation of NAT Slipstream attacks. NAT Slipstreaming is an attack which tricks the NAT router into allowing external traffic through the NAT firewall to target any internal network device by abusing protocols such as SIP or H.323 where thisRead more
A new whitepaper from Microsoft highlights the risks of software supply chain attacks for organisations that pull package dependencies from public repositories like npm, RubyGems and PIP. A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository insteadRead more
