Security News > 2020 > June
Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data CPU cache. The patch from AWS engineer Balbir Singh was to provide "An opt-in mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."
Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data CPU cache. The patch from AWS engineer Balbir Singh was to provide "An opt-in mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."
A vulnerability related to the IP-in-IP tunneling protocol that can be exploited for denial-of-service attacks and to bypass security controls has been found to impact devices from Cisco and other vendors. Cisco has released security updates to address the vulnerability in its NX-OS software.
Researcher Bhavuk Jain discovered a vulnerability in the "Sign in with Apple" feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any...
A code injection vulnerability affecting VMware vCloud Director could be exploited to take over the infrastructure of cloud services, Citadelo researchers have discovered. VMware Cloud Director is a cloud service delivery platform used by public and private cloud providers to operate and manage cloud infrastructure.
Apple on Monday released security patches to address a zero-day vulnerability that had been used to jailbreak iPhones running iOS 13.5. One week later, Apple has released security patches to fix the issue, revealing that the root cause of the bug was memory consumption and that improved memory handling would address it.
The cybercriminals behind the recent attack on Elexon, which manages the electricity market in the United Kingdom, have started leaking data allegedly stolen from the company. Elexon revealed in mid-May that its IT systems were targeted in a cyberattack, but it did not provide any additional details.
British people will soon begin receiving random phone calls from so-called "Contact tracers" warning them about having been in close proximity with potential coronavirus carriers. They'll call from a published phone number - 0300 013 5000 - and, bizarrely given the context, UK.gov promises its hired call centre won't "Disclose any of your personal or medical information to your contacts".
On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection. "Generally speaking, this is affecting older, non-browser clients which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate," wrote Andrew Ayer, founder of SSLMate, in a blog post.
Zero trust aims to eliminate implicit trust associated with the locality of user access, for example users on the Intranet versus the Internet, and moves the focus of security to applications, devices, and users. Zero trust is a framework, an approach to managing IT and network operations that helps drive protection and prevent security breaches.