Tag
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6. Apps that fail verification checks may still launch.
This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.
A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.
By Deeba Ahmed JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn't disclose technical details of the vulnerability for now. This is a post from HackRead.com Read the original post: JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking
Categories: Android Categories: Apple Categories: Exploits and vulnerabilities Tags: Pegasus Tags: spyware Tags: nso Tags: webp Tags: libwebp Tags: buffer overflow The company behind the infamous Pegasus spyware used a vulnerability in almost every browser to plant their malware on victim's devices. (Read more...) The post Pegasus spyware and how it exploited a WebP vulnerability appeared first on Malwarebytes Labs.
Categories: Personal Tags: android Tags: xenomorph Tags: malware Tags: phone Tags: google play Tags: cryptocurrency We take a look at a new Android scam involving Xenomorph malware and a hunt for cryptocurrency credentials. (Read more...) The post Xenomorph hunts cryptocurrency logins on Android appeared first on Malwarebytes Labs.
A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage. "This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression," a group of academics from the University of Texas at Austin, Carnegie Mellon University, University of
The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
A new malware strain called ZenRAT has emerged in the wild that's distributed via bogus installation packages of the Bitwarden password manager. "The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page," enterprise security firm Proofpoint said in a technical report. "The malware is a modular remote access trojan (RAT) with information