Security News > 2023 > October

Start your patch engines - a new version of curl is due tomorrow that addresses a pair of flaws, one of which lead developer Daniel Stenberg describes as "Probably the worst curl security flaw in a long time." Curl 8.4.0 will hit at around 0600 UTC on October 11 and deal with CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl.

A new DDoS technique named 'HTTP/2 Rapid Reset' has been actively exploited as a zero-day since August, breaking all previous records in magnitude.Since late August, Cloudflare has detected and mitigated over a thousand 'HTTP/2 Rapid Reset' DDoS attacks that surpassed 10 million rps, with 184 breaking the previous 71 million rps record.

This article provides a guide to cyber risk acceptance and outlines the valuable role of continuous penetration testing in making informed risk acceptance decisions. The risk hasn't disappeared here; instead, another business takes on the task of mitigating the risk.

Cloudflare, Google, and Amazon AWS revealed that a zero-day vulnerability in the HTTP/2 protocol has been used to mount massive, high-volume DDoS attacks, which they dubbed HTTP/2 Rapid Reset. Based on Cloudflare's data, several attacks leveraging Rapid Reset were nearly three times larger than the largest DDoS attack in Internet history.

Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts...

Google announced today that passkeys are now the default sign-in option across all personal Google Accounts across its services and platforms. "We've received really positive feedback from our users, so today we're making passkeys even more accessible by offering them as the default option across personal Google Accounts," said Google product managers Christiaan Brand and Sriram Karra.

If you're running GNOME on you Linux system(s), you are probably open to remote code execution attacks via a booby-trapped file, thanks to a memory corruption vulnerability in the libcue library. Discovered by GitHub security researcher Kevin Backhouse, CVE-2023-43641 affects the libcue library, which is used for parsing cue sheets that contain the layout of tracks on a CD. Libcue is also used by an application called tracker-miners, which indexes files in users' home directory.

Abstract: Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations.

Certain online risks to children are on the rise, according to a recent report from Thorn, a technology nonprofit whose mission is to build technology to defend children from sexual abuse....

A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec...