CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows

On November 1, 2022, OpenSSL released a security advisory describing two high severity vulnerabilities within the OpenSSL library (CVE-2022-3786 and CVE-2022-3602). OpenSSL versions from 3.0.0 – 3.0.6 are vulnerable, with 3.0.7 containing the patch for both vulnerabilities. OpenSSL 1.1.1 and Read More …

Google Chrome emergency update fixes 9th zero-day of the year

Google has released Chrome 108.0.5359.94/.95 for Windows, Mac, and Linux users to address a single high-severity security flaw, the ninth Chrome zero-day exploited in the wild patched since the start of the year. “Google is aware of reports that an Read More …

New details on commercial spyware vendor Variston

Threat Analysis Group (TAG) has been tracking the activities of commercial spyware vendors for years, using our research to improve the safety and security of Google’s products and share intelligence with our industry peers. TAG’s research underscores that the commercial Read More …

Cloudflare finds a way through China’s network defences

Cloudflare has found a way to extend some of its services across the Great Firewall and into mainland China. “Performance and reliability for traffic flows across the mainland China border have been a consistent challenge for IT teams within multinational Read More …

CISA Adds Two Known Exploited Vulnerabilities to Catalog

ISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view Read More …

Iranian Hackers Installed Crypto Miner in Federal Agency After Exploiting Unpatched Log4Shell Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) said Iranian hackers breached a federal agency that failed to patch the Log4Shell vulnerability and deployed a crypto miner. The Log4Shell vulnerability (CVE-2021-44228) is a critical remote code execution flaw on Apache’s Log4j Read More …

Google pushes emergency Chrome update to fix 8th zero-day in 2022

Google has released an emergency security update for the desktop version of the Chrome web browser, addressing the eighth zero-day vulnerability exploited in attacks this year. The high-severity flaw is tracked as CVE-2022-4135 and is a heap buffer overflow in Read More …

CISA Releases Eight Industrial Control Systems Advisories

CISA has released eight (8) Industrial Control Systems (ICS) advisories on 22 November 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisory Read More …

Vulnerable SDK components lead to supply chain risks in IoT and OT environments

Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially Read More …