Biden Signs New Cybersecurity Order

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks...

Verizon’s 2024 DBIR Unpacked: From Ransomware Evolution to Supply Chain Vulnerabilities

As we delve into cybersecuritys complex and evolving landscape, the Verizon 2024 Data Breach Investigations Report DBIR offers crucial insights into the mechanisms and motives behind the latest wave of cyberattacks. Qualys is once again proud to contribute to the report, helping to dissect these...

[SECURITY] Fedora 38 Update: openmpi-4.1.4-9.fc38

Open MPI is an open source, freely available implementation of both the MPI-1 and MPI-2 standards, combining technologies and resources from several other projects FT-MPI, LA-MPI, LAM/MPI, and PACX-MPI in order to build the best MPI library available. A completely new MPI-2 compliant...

Are Source Code Leaks the New Threat Software vendors Should Care About?

Less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository. The latter is now inaccessible, but according to the media, it was accessibl...

Advanced threat predictions for 2023

It is fair to say that since last years predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be...

An Easier Way to Keep Old Python Code Healthy and Secure

Python has its pros and cons, but it's nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python mu...

The struggle to reduce bug-fixing time is real

There are many reasons why we want a bug fixed as soon as we can, but there are also plenty of reasons why doing it “right now” is not an option. This phenomenon starts at the side of the developers. The average time to fix a bug seems to vary depending on the platform the bug was found in. What ...

Vendors are Fixing Security Flaws Faster

Googles Project Zero is reporting that software vendors are patching their code faster. tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the...

What is a Supply Chain Attack ❓

Presentation The Kaseya cyberattack disturbed more than 1,000 organizations over the Fourth of July weekend and may end up being perhaps the greatest hack ever. It’s additionally a typical case of an “Supply Chain” hack: a sort of cyberattack where hoodlums target programming merchants or IT...

Microarchitectural Data Sampling Advisory

Summary: A potential security vulnerability in CPUs may allow information disclosure. Intel is releasing Microcode Updates MCU updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2018-12126 Microarchitectural Store Buffer Data Sampling MSBDS: Store buffers on some...

Intel Releases Security Advisories on Multiple Products

Intel has released security updates and recommendations to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency CISA encourages users and administrators to...

PA-DSS to Software Security Framework: What You Need to Know

The Payment Application Data Security Standard PA-DSS developed by the Payment Card Industry Security Standards Council PCI SSC applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data. The list o...

Oracle and "Responsible Disclosure"

I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to...

Adventures in vulnerability reporting

Posted by Natalie Silvanovich, Project Zero At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since i...

Intel Releases Security Advisory on Lazy FP State Restore Vulnerability

Intel has released recommendations to address a vulnerability—dubbed Lazy FP state restore—affecting Intel Core-based microprocessors. An attacker could exploit this vulnerability to obtain access to sensitive information. NCCIC encourages users and administrators to review Intel's Security...

Quest KACE System Management Appliance 8.0 (Build 8.0.318) XSS / Traversal / Code Execution / SQL Injection

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Quest KACE System Management Appliance Multiple Vulnerabilities 1. Advisory Information Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL:...

OpenPGP, S/MIME Mail Client Vulnerabilities

The CERT Coordination Center CERT/CC has released information on email client vulnerabilities that can reveal plaintext versions of OpenPGP- and S/MIME-encrypted emails. A remote attacker could exploit these vulnerabilities to obtain sensitive information. NCCIC encourages users and administrator...

Debug Exception May Cause Unexpected Behavior

CERT Coordination Center CERT/CC has released information for CVE-2018-8897 – unexpected behavior for debug exceptions. A local attacker could exploit this bug to obtain sensitive information. NCCIC encourages users and administrators to review CERT/CC’s Vulnerability Note VU 631579 for more...

Intel Says Firmware Fixes for Spectre and Meltdown Affecting Newer Chips

Intel’s efforts to issue fixes for the Spectre and Meltdown CPU vulnerabilities are still hitting some bumps in the road, a company executive said in a blog post. “We have now issued firmware updates for 90 percent of Intel CPUs introduced in the past five years, but we have more work to do,” sai...

Experts Weigh In On Spectre Patch Challenges

The race to patch against the Meltdown and Spectre processor vulnerabilities disclosed last week is on. As of today, there are no known exploits in the wild impacting vulnerable Intel, AMD and ARM devices. Currently, vendors are focused on three main mitigation efforts. Patches that address the...