Security News
According to Eclypsium researchers, the bug tracked as CVE-2020-10713 could allow attackers to get around these protections and execute arbitrary code during the boot-up process, even when Secure Boot is enabled and properly performing signature verification. "During the parser stage, the configuration values are copied to internal buffers stored in memory. Configuration tokens that are longer in length than the internal buffer size end up leading to a buffer overflow issue. An attacker may leverage this flaw to execute arbitrary code, further hijacking the machine's boot process and bypassing Secure Boot protection. Consequently, it is possible for unsigned binary code to be loaded, further jeopardizing the integrity of the system."
An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. Any system on which GRUB2 can be installed and run at boot-time is potentially vulnerable.
According to BlackBerry, the Tycoon attack can be difficult to detect, thanks to it being written in Java and deployed within its own Runtime Environment. Admins of Cisco Nexus and UCS gear should make sure their firmware is updated with the latest NX-OS fix from Switchzilla.
Boots, a UK pharmacy chain, has suspended payments on the loyalty cards of 14.4 million active customers after its security team spotted "Unusual" activity on a number of Boots Advantage Card accounts. If Boots wasn't hacked, then where did crooks get the credentials that they've evidently used to try to get into people's Advantage Card accounts so they can make fraudulent purchases on what we refer to in the States as "Somebody else's dime?".
It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets manufactured over the past five years. Buried deep inside modern Intel chipsets is what's called the Management Engine, or these days, the Converged Security and Manageability Engine.
You guys are hosting a thriving marketplace for shills, charlatans and sockpuppets, the UK's watchdog told Facebook and eBay in June 2019, after finding over 100 eBay listings selling fake reviews and 26 Facebook groups offering to buy or sell them. Specifically, Facebook has booted 188 groups and yanked 24 user accounts, while eBay has permanently banned 140 users.
China-based electronics company Xiaomi said it has fixed a "Cache update" issue for its Xiaomi Mijia smart camera after a Reddit user claims that attempts to view Xiaomi camera footage on his Google Nest Hub instead showed videos of strangers. This security camera can be linked to the Google Nest Hub if users integrate their Google accounts on Xiaomi's Mi Home application.
New study: 3 in 5 have experienced discrimination in the workplace
Coder claims iThings older than two years can be unlocked from Apple's clutches A programmer claims to have found a way to execute arbitrary code on recent-ish iPhones and iPads, paving the way...
The app purported to stream music - but actually siphoned victims' device contacts and files.