Google has issued an urgent update for Chrome which patches a zero-day vulnerability under active exploitation. The Chrome team took just one day from report of the vulnerability to issuing the patch, such is the danger posed by this flaw. The patch is included in Chrome version v86.0.4240.111 (CVE-2020-15999) – any older versions should beRead more
Blog
Microsoft has patched a Remote Code Execution vulnerability in Visual Studio which could be exploited by creating a code repository – such as for a popular open source tool – and convincing a developer to clone and open it. The vulnerability (CVE-2020-17023) exists in the handling of the ‘package.json’ file and can be exploited toRead more
Achilles is the name of a set of 400 security vulnerabilities found in the Qualcomm chips that power a billion Android devices – many of which may never get fixed. Discovered by researchers at CheckPoint, the vulnerabilities all relate the DSP chip which is part of the Snapdragon processor that powers the phones and tablets. Read more
For 20 years a small two person firm in Ohio has licensed their TCP/IP software stack for use in embedded systems and IoT devices – from printers to medical devices. In June a collection of 19 vulnerabilities in this software was disclosed – affecting millions of devices from 50 different vendors. The collection of vulnerabilitiesRead more
Security Awareness Training is an essential component of any organisation’s information security. Even though it is mandated by frameworks such as PCI-DSS or ISO 27001, Security Awareness Training should be more than just a compliance exercise. A good security awareness training programme will drive changes in behaviour amongst staff, suppliers and customers that will improveRead more
Cable Haunt is a vulnerability in millions of cable modems which allows an attacker to execute arbitrary code on the modem. This vulnerability is interesting for two reasons – firstly the scale due to the number of vulnerable devices and secondly how the vulnerability came about. Cable Haunt is a buffer overflow defect in theRead more
Reading about the latest hacks by alleged nation state sponsored groups from China or Russia may make for interesting lunchtime reading. But do these groups pose a real threat to the typical business? Many security managers ask themselves: Do I really need to worry about nation state actors? In this article, we will answer thatRead more
Anti-virus company Avast has revealed they were breached over several months, after identifying the suspicious activity on their network on 23rd September according to a blog post by their CISO. Avast think their CCleaner software was the target of a supply chain attack – with the hackers attempting to repeat the 2017 insertion of maliciousRead more
Webmin, the web-based interface for system administration for Unix and Linux, had a remote code execution vulnerability deliberately introduced into its source code in April 2018. It was only publicised in August 2019 when a zero day exploit was published at DefCon 27. Webmin has been installed over a million times worldwide. The malicious codeRead more
Software Supply chain attacks – do you know what you are importing? Many websites and applications routinely import additional code modules from external repositories. These could be javascript libraries for a webpage or source code for an application. Two recent incidents illustrate the risks of supply chain attacks against the code of your applications andRead more
