Security update for the Linux Kernel (important)
An update that solves 6 vulnerabilities and has 171 fixes is now available. Description: The openSUSE Leap 15.0 was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2019-2024: A use-after-free when disconnecting a source was fixed which...
7.8CVSS
-0.4AI Score
0.053EPSS
SAS 2019: Joe FitzPatrick Warns of the '$5 Supply Chain Attack'
SINGAPORE – At the Security Analyst Summit this year in Singapore, Threatpost editor Tara Seals catches up with Joe FitzPatrick, researcher with Securing Hardware, who led a session during the conference titled “A Measured Response to a Grain of Rice: An Implant in the Shell.” After a 2018...
-0.1AI Score
FortiAP Bleeding Bit Vulnerability
Some FortiAP models are vulnerable to the Bleeding Bit Vulnerability (CVE-2018-16986) present in the Texas Instruments WiFi...
8.8CVSS
1.8AI Score
0.05EPSS
Intel Patches High-Severity Flaws in Media SDK, Mini PC
Intel has released security updates addressing two high-severity vulnerabilities in its Intel Media Software Development Kit (SDK) and Intel NUC mini PC. Overall, the chip giant on Tuesday patched four flaws across its products; the most severe of these vulnerabilities exist in Intel’s Media...
2.9AI Score
0.0004EPSS
Nvidia Fixes 8 High-Severity Flaws Allowing DoS, Code Execution
Nvidia has released fixes for eight high-severity vulnerabilities in its Linux for Tegra driver packages. The worst of these flaws could allow information disclosure, denial of service and code execution on impacted systems. Overall, the chipmaker on Tuesday released patches for 13 flaws that...
1.1AI Score
0.001EPSS
Google's April Android Security Bulletin Warns of 3 Critical Bugs
Google has fixed three critical remote code execution bugs in its Android operating system, which could allow a remote attacker to hijack a vulnerable system simply by sending a malicious file. The flaws are part of Google’s April Android Security Bulletin, which includes patches for three...
1.5AI Score
0.002EPSS
Intel VISA Tech Can Be Abused, Researchers Allege
UPDATE Researchers allege that a technology in Intel microchips could potentially be activated and abused by bad actors – giving them complete access to all data across an affected device. The Intel technology is called Visualization of Internal Signals Architecture (VISA), and is used for...
0.3AI Score
0.001EPSS
Security for Connected Devices
With this post, I want to continue from earlier discussions on security posted here and here and focus on Connected Devices or the Internet of Things (IoT). IoT typically represents a network of physical objects (or “things”) embedded with electronics, software, sensors, and connectivity to enable....
0.2AI Score
RSA Conference 2019: BleedingBit Flaws Continue to Plague Firms
UPDATE SAN FRANCISCO – Mobile key platform UniKey has patched vulnerabilities related to the infamous BleedingBit attack in its platform. BleedingBit is an issue in Bluetooth Low-Energy chips made by Texas Instruments (and used in millions of wireless access points), which was disclosed in...
0.6AI Score
0.05EPSS
Smart Ski Helmet Headphone Flaws Leak Personal, GPS Data
Researchers have found a slew of vulnerabilities in a pair of smart headphones designed to fit under ski helmets. The flaws could allow a bad actor to view victims’ personal information, track them and even listen to their private conversations via the headphones’ walkie-talkie function, which...
0.5AI Score
I love snow sports, and I also like my tunes, so purchasing the Outdoor Tech CHIPS smart headphones was a no-brainer. They fit into audio-equipped helmets and have huge 40mm drivers. Warm ears and good bass. Better yet, they’re touch sensitive even with gloves on and I can take calls handsfree....
7.1AI Score
Spectre, Google, and the Universal Read Gadget
Spectre, a seemingly never ending menace to processors, is back in the limelight once again thanks to the Universal Read Gadget. First seen at the start of 2018, Spectre emerged alongside Meltdown as a major potential threat to people’s system security. Meltdown and Spectre Meltdown targeted Intel....
0.1AI Score
Marvell Avastar wireless SoCs have multiple vulnerabilities
Overview Some Marvell Avastar wireless system on chip (SoC) models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan. Description A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs (models 88W8787,...
8.8CVSS
0.3AI Score
0.017EPSS
openSUSE Security Update : the Linux Kernel (openSUSE-2019-65)
The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via ...
8CVSS
-0.1AI Score
0.006EPSS
A week in security (January 14 – 20)
Last week on the Malwarebytes Labs blog, we took a look at how the government shutdown is influencing cybersecurity jobs, Advanced Persistent Threats group APT10, the comeback of Fallout EK, the hosting of malicious sites on legitimate servers, and the Collection 1 data breach. Other cybersecurity....
7.8CVSS
8.2AI Score
0.002EPSS
Security update for the Linux Kernel (important)
An update that solves 11 vulnerabilities and has 131 fixes is now available. Description: The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c ...
8CVSS
-0.2AI Score
0.006EPSS
Cryptocurrency Wallet Hacks Spark Dustup
LEIPZIG, GERMANY – Hardware based cryptocurrency wallets may not be as secure as promised. That’s the judgement of Dmitry Nedospasov, Thomas Roth and Josh Datko who together presented their research at a session here at the 35c3 conference called “wallet.fail.” In the talk the researchers...
-0.2AI Score
Assessing the security of a portable router: a look inside its hardware, part deux
In part two of our blog assessing the security of a portable router, we will acquire the tools and equipment to make a copy of the firmware on our target router so that we can assess the full firmware. Sometimes, the manufacturer has an updated firmware that is available on their website. It could....
-0.4AI Score
#OTTuesday: Five Technologies Shaping the Future of OTT
The world of OTT is changing radically with new innovations, from player technologies to standards convergence, propelling the industry forward. As 2018 comes to a close, AkamaiTV sat down with DASH legend and Akamai's very own Will Law to get his pulse on the major trends and technologies that...
0.1AI Score
openSUSE Security Update : the Linux Kernel (openSUSE-2018-1549)
The openSUSE Leap 42.3 kernel was updated to 4.4.165-81.1 to receive various bugfixes. The following non-security bugs were fixed : 9p locks: fix glock.client_id leak in do_lock (bnc#1012382). 9p: clear dangling pointers in p9stat_free (bnc#1012382). ACPI / LPSS: Add alternative ACPI...
AI Score
Security update for the Linux Kernel (important)
The openSUSE Leap 42.3 kernel was updated to 4.4.165-81.1 to receive various bugfixes. The following non-security bugs were fixed: 9p locks: fix glock.client_id leak in do_lock (bnc#1012382). 9p: clear dangling pointers in p9stat_free (bnc#1012382). ACPI / LPSS: Add alternative ACPI HIDs for...
-0.4AI Score
Google Patches 11 Critical RCE Android Vulnerabilities
Remote code-execution (RCE) vulnerabilities dominated Google’s December Android Security Bulletin. The flaws are part of a total of 53 unique bugs patched by the Android security team, with a total number of 11 critical bugs – six of which are RCE flaws tied to the operating system’s Media...
0.5AI Score
0.001EPSS
That Bloomberg Supply-Chain-Hack Story
Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to -- among others -- Apple and Amazon. Pretty much everybody has denied it (including the US DHS and the UK NCSC). Bloomberg has stood by its story -- and is...
2AI Score
Cyberthreats to financial institutions 2019: overview and predictions
Kaspersky Security Bulletin: Threat Predictions for 2019 Threat predictions for industrial security in 2019 Cryptocurrency threat predictions for 2019 Introduction – key events in 2018 The past year has been extremely eventful in terms of the digital threats faced by financial institutions:...
0.7AI Score
Chip Cards Fail to Reduce Credit Card Fraud in the US
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the...
0.3AI Score
[SECURITY] [DLA 1573-1] firmware-nonfree security update
Package : firmware-nonfree Version : 20161130-4~deb8u1 CVE ID : CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 Debian Bug : 620066 724970 769633 774914 790061 793544 793874...
9.8CVSS
8.8AI Score
0.201EPSS
Debian DLA-1573-1 : firmware-nonfree security update (KRACK)
Several vulnerabilities have been discovered in the firmware for Broadcom BCM43xx wifi chips that may lead to a privilege escalation or loss of confidentiality. CVE-2016-0801 Broadgate Team discovered flaws in packet processing in the Broadcom wifi firmware and proprietary drivers that could lead.....
9.8CVSS
0.5AI Score
0.201EPSS
Apple Modernizes Its Hardware Security with T2
When Apple launched its latest MacBook Air last month, one of its more unusual features is that the built-in microphone automatically turns off when the lid is closed. Apple introduced the feature to eliminate any possibility of malware – or other unwanted applications – using the laptop’s...
-0.7AI Score
The x86 Processor Fuzzer: sandsifter
Your computer is not yours. You may have shelled out thousands of dollars for it. It may be sitting right there on your desk. You may have carved your name deep into its side with a blowtorch and chisel. But it’s still not yours. Some vendors are building secret processor registers into your...
-0.2AI Score
Bluetooth Chip Bugs Affect Enterprise Wi-Fi, as Hackers Exploit Cisco 0-Day
In this latest roundup of cyber security news, we look at serious Bluetooth chip-level bugs, a zero-day vulnerability on Cisco software, a raft of Apple security fixes, and a massive customer data breach at Cathay Pacific. Enterprise Wi-Fi access points vulnerable to Bluetooth bug A pair of...
8.2AI Score
Which Threats had the Most Impact During the First Half of 2018?
One of the best ways for organizations to shore up their data security efforts and work toward more proactive protection is by examining trends within the threat environment. Taking a look at the strategies for attack, infiltration and infection currently being utilized by hackers can point toward....
-0.1AI Score
PortSmash Side Channel Attack Siphons Data From Intel, Other CPUs
Yet another side-channel attack, this time dubbed PortSmash, has been discovered in CPUs. The attack allows attackers to manipulate a glitch in the simultaneous multithreading (SMT) architecture used in CPUs — and siphon processed data from chips. Several attacks have popped up over the past year.....
-0.3AI Score
0.001EPSS
Feds accuse Chinese firm of stealing trade secrets of US tech giant
By Uzair Amir The US Justice Department has accused China to be involved in industrial espionage. According to a press release from the department, the Chinese government has made memory chips that store data its centralized science and technology strategy only to cover its espionage activities....
6.9AI Score
Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks
Security researchers have unveiled details of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in millions of access points and networking devices used by enterprises around the world. Dubbed BleedingBit, the set of two vulnerabilities could allow remote attackers to...
8.8CVSS
0.9AI Score
0.05EPSS
Two Zero-Day Bugs Open Millions of Wireless Access Points to Attack
UPDATE Two zero-day vulnerabilities in Bluetooth Low-Energy chips made by Texas Instruments (and used in millions of wireless access points) open corporate networks to crippling stealth attacks. Adversaries can exploit the bugs by simply being approximately 100 to 300 feet from the vulnerable...
0.1AI Score
0.05EPSS
Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability
On November 1st, 2018, Armis announced the presence of a Remote Code Execution (RCE) or Denial of Service (DoS) vulnerability in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. This vulnerability has been assigned the Common Vulnerabilities and Exposures...
2.1AI Score
0.05EPSS
Texas Instruments CC2640 and CC2650 microcontrollers vulnerable to heap overflow and insecure update
Overview Texas Instruments CC2640 and CC2650 microcontrollers are vulnerable to a heap overflow and may allow unauthenticated firmware installation. Description CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2018-16986 - also known as BLEEDINGBIT The following....
8.8CVSS
1.1AI Score
0.05EPSS
Ghost hardware. Device No.2, the Boo Buddy
The “Boo Buddy” is sold as a “trigger object” with a wide range of internal functionality such as EMF, motion and temperature detection. It’s a “trigger object”, in the sense that it is designed to evoke the spirits of children, who might be drawn in by the presence of a toy. Many people have...
7.1AI Score
This Week in Security News: Toll Fraud & Small Business Struggles
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn why telecommunications fraud has turned into a multi-billion euro criminal industry. Also, understand what cybersecurity struggles...
-0.5AI Score
Apple, Amazon in a Tussle with Bloomberg over Spy Chips Report
In our latest security news digest, we delve into the brouhaha over Chinese spy chips, check out the latest in Facebook's investigation of its recent hack, and look at Google's controversial decision to delay disclosing a potential data breach. Bloomberg's spy chip report stuns tech industry, then....
-0.5AI Score
0.002EPSS
Security in a World of Physically Capable Computers
It's no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they're just the newsworthy tip of a very large iceberg. The....
-0.4AI Score
OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0266)
The remote OracleVM system is missing necessary patches to address critical security updates : bnxt_en: xdp: don't make drivers report attachment mode (partial backport) (Somasundaram Krishnasamy) [Orabug: 27988326] bpf: make bnxt compatible w/ bpf_xdp_adjust_tail (Nikita V....
7.8CVSS
0.2AI Score
0.001EPSS
Bloomberg blunder highlights supply chain risks
Ooh boy! Talk about a back-and-forth, he said, she said story! No, we’re not talking about that Supreme Court nomination. Rather, we’re talking about Supermicro. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government....
-0.5AI Score
Unbreakable Enterprise kernel security update
[4.1.12-124.20.1] - bnxt_en: xdp: don't make drivers report attachment mode (partial backport) (Somasundaram Krishnasamy) [Orabug: 27988326] - bpf: make bnxt compatible w/ bpf_xdp_adjust_tail (Nikita V. Shirokov) [Orabug: 27988326] - bnxt_en: add meta pointer for direct access (partial...
7.8CVSS
-0.3AI Score
0.001EPSS
New Ninth-Gen Intel CPUs Shield Against Some Spectre, Meltdown Variants
Intel’s new ninth-generation CPUs come packed with hardware-based protections against two variants of the infamous Meltdown and Spectre speculative execution attacks. The ninth-generation desktop Core processors are dubbed Coffee Lake, and became available for preorder on Tuesday. they’re built to....
2.2AI Score
0.974EPSS
Sandsifter - The X86 Processor Fuzzer
The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor's instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor;...
7.7AI Score
openSUSE Security Update : the Linux Kernel (openSUSE-2018-1140)
The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI ...
8.4CVSS
0.4AI Score
0.022EPSS
Security update for the Linux Kernel (important)
The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI...
0.4AI Score
0.022EPSS
Network Security Monitoring vs Supply Chain Backdoors
On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to....
0.1AI Score
Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?
From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation...
7.6AI Score