It's a minimal issue today I'm afraid, I have a day off and it's a very busy one :-) The content will mostly be what you expect, but the news will have the standard summaries that the article itself provides instead of me writing my own take.
Looking at the final result, maybe I should start calling them "quick" issues instead of minimal. Gathering the breaches and vulnerabilities doesn't take up that much time. Writing my own summaries for news articles does though, and that's what I skip when going "minimal". Hmm. Quick issue it is!
Breaches and leaks
- DNA testing service 23andMe investigating theft of user data: link.
- Motel One discloses data breach following ransomware attack: link.
- Sony attacked by two ransomware operators: link.
A new Linux vulnerability, known as 'Looney Tunables' and tracked as CVE-2023-4911, enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library's ld.so dynamic loader.
A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers. Also: Exim patches three of six zero-day bugs disclosed last week: link.
Targets of the operation were given phony coding challenges that delivered a range of malware, including a previously-unseen backdoor.
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
Issues and fixes
- Apple patches vulnerabilities on iPhone and iPad: link.
- Microsoft Edge, Teams get fixes for zero-days in open-source libraries: link.
- Android October security update fixes zero-days exploited in attacks: link.
- cURL will release a fix soon for an unknown but serious vulnerability: link.
- Exploit released for Microsoft SharePoint Server auth bypass flaw: link.
- Arm warns of Mali GPU flaws likely exploited in targeted attacks: link.
- TeamCity RCE flaw exploited by ransomware gang: link.
- Atlassian Confluence bug under attack: link.
- Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers: link.
- ShellTorch flaws expose AI servers to code execution attacks: link.
Hackers from countries like Iran are increasingly pairing their hacking operations with information operations pushing propaganda.
Cloudflare's Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls.
Google will introduce new sender guidelines in February to bolster email security against phishing and malware delivery by mandating bulk senders to authenticate their emails and adhere to stricter spam thresholds
It's never been easier to hide malware in plain sight in open source software package repositories, and "DiscordRAT 2.0" now makes it easy to take advantage of those who stumble upon it.
US govt confirms outage, leaves feline in quantum state of uncertainty.
Passkey support is now available in 1Password, letting you create, manage, and sign in with passkeys on a growing number of websites and apps using the desktop version of 1Password in the browser, as well as on your iOS 17 and iPadOS 17 devices. (Sponsored)