#ios

Cary, North Carolina, 26th January 2025, CyberNewsWire

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

Chinese hacks, rampant ransomware, and Donald Trump’s budget cuts all threaten US security. In an exit interview with WIRED, former CISA head Jen Easterly argues for her agency’s survival.

The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable from adjacent network Standard: Traffic Alert and Collision Avoidance System (TCAS) II Equipment: Collision Avoidance Systems Vulnerabilities: Reliance on Untrusted Inputs in a Security Decision, External Control of System or Configuration Setting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to manipulate safety systems and cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following revisions of TCAS II are affected: TCAS II: Versions 7.1 and prior 3.2 Vulnerability Overview 3.2.1 Reliance on Untrusted Inputs in a Security Decision CWE-807 By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs). CWE-2024-9310 has been...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.9 ATTENTION: Exploitable from an adjacent network/low attack complexity Vendor: ZF Equipment: RSSPlus Vulnerability: Authentication Bypass By Primary Weakness 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of RSSPlus are affected: RSSPlus 2M: build dates 01/08 through at least 01/23 3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305 The affected product is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This ca...

Introduction Microsoft engineering teams use the Security Development Lifecycle to ensure our products are built in alignment with Microsoft’s Secure Future Initiative security principles: Secure by Design, Secure by Default, and Secure Operations. A key component of the Security Development Lifecycle is security testing, which aims to discover and mitigate security vulnerabilities before adversaries can exploit them.