Tag: Log4Shell
XZ Utils Scare Exposes Hard Truths in Software Security
The recent discovery of a backdoor in the XZ Utils data compression utility — present in nearly all major Linux distributions — is a...
Breaking News
Will Government Secure Open Source or Muck It Up?
Can open source software be regulated? Should it be regulated? And if so, will it lead to enhanced security? In mid-September, two government's approaches...
‘Gold Melody’ Access Broker Plays on Unpatched Servers’ Strings
A initial access broker (IAB) is still running rampant despite being tracked for seven years by researchers, and despite striking up a predictable tune...
Security Conferences Keep Us Honest
In August on a stage at Black Hat USA, I described in detail how Microsoft guest accounts could gain access to view and manipulate...
Iranian APT Hits US Aviation Org via ManageEngine, Fortinet Bugs
State-sponsored threat actors have exploited a US aeronautical organization, using known vulnerabilities in Zoho ManageEngine software and in Fortinet firewalls.The organization has not been...
Despite Post-Log4J Security Gains, Developers Can Still Improve
Developers are increasingly adopting security testing as part of the development pipeline, but companies still have room for improvement, with a minority of companies...
WordPress plugin lets users become admins – Patch early, patch often!
by Paul Ducklin If you run a WordPress site with the Ultimate Members plugin installed, make sure you’ve updated it...
Lazarus Group Striking Vulnerable Windows IIS Web Servers
The North Korean state-backed threat actor Lazarus Group has reinvented its ongoing espionage campaign by exploiting known vulnerabilities in unpatched Windows IIS Web servers...
AI Experts: Account for AI/ML Resilience & Risk While There’s Still Time
RSA CONFERENCE 2023 – San Francisco – As enterprises and government agencies increasingly weave artificial intelligence (AI) and machine learning (ML) into their broader set...
VMware patches break-and-enter hole in logging tools: update now!
by Paul Ducklin Logging software has made cyberinsecurity headlines many times before, notably in the case of the Apache Log4J...
Popular server-side JavaScript security sandbox “vm2” patches remote execution hole
by Paul Ducklin We’ve written before, back in 2022, about a code execution hole in the widely-used JavaScript sandbox system...
10 Vulnerabilities Types to Focus On This Year
Keeping applications and networks secure can seem like a Sisyphean task. No matter how much time and resources security and IT teams devote to...
10 Vulnerability Types to Focus On This Year
Keeping applications and networks secure can seem like a Sisyphean task. No matter how much time and resources security and IT teams devote to...