A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries … [Read more...] about Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries
bugs
SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts
A group of academics from the University of California, Santa Barbara, has demonstrated what it calls a "scalable technique" to vet smart contracts and mitigate state-inconsistency bugs, discovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process. Smart contracts are programs stored on the blockchain that are automatically executed when predetermined … [Read more...] about SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts
Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers
Microsoft is urging customers to patch two security vulnerabilities in Active Directory domain controllers that it addressed in November following the availability of a proof-of-concept (PoC) tool on December 12. The two vulnerabilities — tracked as CVE-2021-42278 and CVE-2021-42287 — have a severity rating of 7.5 out of a maximum of 10 and concern a privilege escalation flaw … [Read more...] about Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers
Facebook to Pay Hackers for Reporting Data Scraping Bugs and Scraped Datasets
Meta Platforms, the company formerly known as Facebook, has announced that it's expanding its bug bounty program to start rewarding valid reports of scraping vulnerabilities across its platforms as well as include reports of scraping data sets that are available online. "We know that automated activity designed to scrape people's public and private data targets every website or … [Read more...] about Facebook to Pay Hackers for Reporting Data Scraping Bugs and Scraped Datasets
Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally
Multiple security weaknesses have been disclosed in MediaTek system-on-chips (SoCs) that could have enabled a threat actor to elevate privileges and execute arbitrary code in the firmware of the audio processor, effectively allowing the attackers to carry out a "massive eavesdrop campaign" without the users' knowledge. The discovery of the flaws is the result of … [Read more...] about Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally
How CrowdStrike Intelligence Uses Fuzzing to Hunt for Bugs
One useful method in a security researcher’s toolbox for discovering new bugs in software is called “fuzz testing,” or just “fuzzing.” Fuzzing is an automatic software testing approach where the software that is to be tested (the target) is automatically fed with input data and its behavior during execution is analyzed and checked for any errors. For the CrowdStrike … [Read more...] about How CrowdStrike Intelligence Uses Fuzzing to Hunt for Bugs
Several Bugs Found in 3 Open-Source Software Used by Several Businesses
Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects — EspoCRM, Pimcore, and Akaunting — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer … [Read more...] about Several Bugs Found in 3 Open-Source Software Used by Several Businesses
China’s New Law Requires Researchers to Report All Zero-Day Bugs to Government
The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosures regulations that mandate security researchers uncovering critical flaws in computer systems to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The "Regulations on the Management of Network Product Security Vulnerability" are … [Read more...] about China’s New Law Requires Researchers to Report All Zero-Day Bugs to Government
Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an advisory warning of multiple vulnerabilities in the OpENer EtherNet/IP stack that could expose industrial systems to denial-of-service (DoS) attacks, data leaks, and remote code execution. All OpENer commits and versions prior to February 10, 2021, are affected, although there are no known … [Read more...] about Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems
New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems
Cybersecurity researchers on Monday disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory. Discovered by Piotr Krysiuk of Symantec's Threat Hunter team, the flaws — tracked as CVE-2020-27170 and … [Read more...] about New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems