A critical vulnerability in the Rust standard library, known as BatBadBut and tracked as CVE-2024-24576, exposes Windows systems to command injection attacks when batch files are invoked with untrusted arguments. The flaw impacts all versions of Rust before 1.77.2 and has a maximum severity score. Security researcher RyotaK discovered and reported the bug, advising caution when executing commands on Windows and recommending moving batch files to a directory not included in the PATH environment variable to prevent unexpected execution.
VMware has issued security patches to fix four flaws affecting ESXi, Workstation, and Fusion, including two critical vulnerabilities that could result in code execution. The flaws, tracked as CVE-2024-22252 and CVE-2024-22253, are use-after-free bugs in the XHCI USB controller. Two other vulnerabilities, CVE-2024-22254 and CVE-2024-22255, have also been patched. VMware has provided versions addressing these issues and recommended a temporary workaround until the patches can be deployed.
Cybersecurity researchers have discovered a potential exploit in the Ubuntu operating system's 'command-not-found' utility, which could allow threat actors to manipulate the system and recommend their own malicious packages, potentially leading to software supply chain attacks. The exploit involves the utility suggesting rogue packages from the snap repository, as well as impersonating legitimate APT packages and leveraging typosquatting attacks. Users are advised to verify package sources before installation, while developers have been urged to register associated snap names for their commands to prevent misuse.
