All articles tagged with #software security
Originally Published 20 days ago — by theregister.com
Microsoft aims to replace its entire C and C++ codebase with Rust by 2030, leveraging AI and automation tools to facilitate the transition, driven by a goal to improve security and reduce technical debt, with significant investment in new tools and talent.
Originally Published 3 months ago — by SiliconANGLE
Google DeepMind has developed CodeMender, an AI agent that autonomously detects, patches, and rewrites vulnerable code to enhance software security, currently in research phase with promising results in fixing open-source projects and preventing exploits.
Originally Published 1 year ago — by The Hacker News
Jenkins has resolved nine security flaws, including a critical bug (CVE-2024-23897) that could lead to remote code execution (RCE) through its built-in command line interface (CLI). Attackers could exploit this vulnerability to read arbitrary files on the Jenkins controller file system, potentially leading to various attacks. The flaw has been fixed in Jenkins 2.442, LTS 2.426.3, and a short-term workaround is recommended until the patch can be applied. This comes after Jenkins addressed severe security vulnerabilities last year.
Originally Published 2 years ago — by The Hacker News
GitHub has rotated some keys, including the commit signing key and customer encryption keys, in response to a high-severity vulnerability (CVE-2024-0200) that could potentially expose credentials within a production container. The vulnerability, also present on GitHub Enterprise Server, requires an authenticated user with an organization owner role to be logged in for exploitation. GitHub has also addressed another high-severity bug (CVE-2024-0507) that could allow privilege escalation via command injection.
Originally Published 2 years ago — by The Hacker News
GitLab has released security updates to address two critical vulnerabilities, including one that could lead to account takeover without user interaction. The flaw, tracked as CVE-2023-7028, affects self-managed instances of GitLab Community Edition and Enterprise Edition. Another critical flaw (CVE-2023-5356) was also patched, allowing a user to abuse Slack/Mattermost integrations. Users are advised to upgrade to the patched version as soon as possible and enable 2FA, especially for those with elevated privileges.
Originally Published 2 years ago — by The Wall Street Journal
New York regulators are planning to introduce cybersecurity regulations for hospitals in response to a series of cyberattacks that have disrupted medical facilities. The proposed rules include requirements for hospitals to develop and test incident response plans, assess cybersecurity risks, and implement security technologies such as multifactor authentication. Hospitals will also need to establish secure software design practices for in-house applications and conduct security testing for software from vendors.
Originally Published 2 years ago — by The Hacker News
Malicious Python packages containing the BlazeStealer malware have been discovered on the Python Package Index (PyPI) repository. Disguised as obfuscation tools, these packages install a Discord bot that gives attackers complete control over compromised developer systems. The malware can steal sensitive information, execute commands, encrypt files, and even render the computer unusable. The rogue packages were downloaded over 2,400 times before being taken down, with the majority of downloads originating from the U.S. Developers are advised to remain vigilant and thoroughly vet packages before use.
Originally Published 2 years ago — by The Verge
Microsoft is launching the Secure Future Initiative (SFI) to overhaul its software security in response to recent cybersecurity incidents, including the SolarWinds attack and the Microsoft Exchange Server flaw. The initiative will involve using automation and AI during software development, cutting the time to fix vulnerabilities, improving security settings, and strengthening infrastructure. Microsoft aims to build an AI-based "cyber shield" to detect threats more effectively. The company also plans to reduce the time it takes to mitigate cloud vulnerabilities by 50% and enhance the security of encryption keys. Additionally, Microsoft will focus on improving security defaults and expanding secure default settings for Multi-Factor Authentication. The company calls for greater accountability for nation-states involved in undermining cloud security and urges states to recognize cloud services as critical infrastructure.
Originally Published 2 years ago — by The Hacker News
The Curl library is set to release a security patch on October 11, 2023, to address two vulnerabilities, one high-severity (CVE-2023-38545) and one low-severity (CVE-2023-38546). The exact version ranges impacted have not been disclosed to prevent pre-release problem identification, but it is known that versions from the past several years are affected. Organizations are advised to inventory and scan systems using curl and libcurl to identify potentially vulnerable versions once details are disclosed with the release of Curl 8.4.0.
Originally Published 2 years ago — by TechCrunch
Microsoft has released patches to address zero-day vulnerabilities in two widely used open source libraries, webp and libvpx, which impact several Microsoft products including Skype, Teams, and Edge. The vulnerabilities were actively exploited by spyware to target individuals, according to researchers at Google and Citizen Lab. While Microsoft has fixed the vulnerabilities, the company has not confirmed if its products were exploited or if it has the ability to detect such exploitation. Other tech companies, including Apple and Google, have also issued security updates to address the vulnerabilities in their respective products.
Originally Published 2 years ago — by The Verge
A Tesla software hacker known as @greentheonly has discovered a hidden feature called "Elon Mode" that enables hands-free driving in Tesla vehicles. The hacker found that the car didn't require any attention from them while using Tesla's Full Self-Driving (FSD) software. FSD is Tesla's vision-based advanced driver-assist system that's in beta but is currently available to anyone who paid as much as $15,000 for the option. The system still seems to change lanes randomly and ends up driving slow on the highway. Whether this version of FSD will be available to regular owners is unknown.