#zero_day

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Duston Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs.

An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.

GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.

By Owais Sultan Cyberattacks aim to breach device, program, and system defenses to access critical company or individual data. If a… This is a post from HackRead.com Read the original post: Crucial Cybersecurity Software Features (2022)

The head of Microsoft's Security Response Center defends keeping its initial vulnerability disclosures sparse — it is, she says, to protect customers.

In her keynote address at Black Hat USA 2022, Kim Zetter gives a scathing rebuke of Colonial Pipeline for not foreseeing the attack.

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  Everyone seems to want to create the next “Netflix” of something. Xbox’s Game Pass is the “Netflix of video games.” Rent the Runway is a “Netflix of fashion” where customers subscribe to a rotation of fancy clothes.  And now threat actors are looking to be the “Netflix of malware.” All categories of malware have some sort of "as-a-service" twist now. Some of the largest ransomware groups in the world operate “as a service,” allowing smaller groups to pay a fee in exchange for using the larger group’s tools.   Our latest report on information-stealers points out that “infostealers as-a-service" are growing in popularity, and our researchers also discovered a new “C2 as-a-service" platform where attackers can pay to have this third-party site act as their command and control. And like Netflix, this Dark Utilities site offers several other layers of tools and malware to choose from. This is a parti...

The Zero Day Initiative has found a concerning uptick in security updates that fail to fix vulnerabilities.

Networking equipment major Cisco on Wednesday confirmed it was the victim of a cyberattack on May 24, 2022 after the attackers got hold of an employee's personal Google account that contained passwords synced from their web browser. "Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee's personal Google account," Cisco Talos said in a detailed write-up.