Security News
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild....
Abstract: The Common Vulnerability Scoring System is a popular method for evaluating the severity of vulnerabilities in vulnerability management. The goal of CVSS is to provide comparable scores across different evaluators.
A vulnerability management strategy that relies solely on CVSS for vulnerability prioritization is proving to be insufficient at best, according to Rezilion. Relying solely on a CVSS severity score to assess the risk of individual vulnerabilities was shown to be equivalent to randomly selecting vulnerabilities for remediation.
Microsoft patches four exploited zero-days, but lags with fixes for a fifthFor July 2023 Patch Tuesday, Microsoft has delivered 130 patches; among them are four for vulnerabilites actively exploited by attackers, but no patch for CVE-2023-36884, an Office and Windows HTML RCE vulnerability exploited in targeted attacks aimed at defense and government entities in Europe and North America. Apple pushes out emergency fix for actively exploited zero-dayApple has patched an actively exploited zero-day vulnerability by releasing Rapid Security Response updates for iPhones, iPads and Macs running the latest versions of its operating systems.
Merry Christmas, Linux systems administrators: Here's a kernel vulnerability with a CVSS score of 10 in your SMB server for the holiday season giving an unauthenticated user remote code execution. Luckily for the sysadmins reaching for more brandy to pour in that eggnog, it doesn't appear to be that widespread. Discovered the Thalium Team vulnerability research team at French aerospace firm Thales Group in July, the vulnerability is specific to the ksmbd module that was added to the Linux kernel in version 5.15.
Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues. The initial Log4j vulnerability received a base CVSS score of 10.0.
More than 1 billion records for CVS Health customers were left in the database of a third-party, unnamed vendor - exposed, unprotected, online. CVS Health is the parent company behind multiple household brands, including the CVS Pharmacy retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; and Aetna, a health insurance provider.
Researchers have discovered an unprotected, exposed online database with over a billion records belonging to American healthcare company CVS Health. The discovery, made by researcher Jeremiah Fowler and the WebsitePlanet research team, happened in March 2021 and the database was secured the next day, after CVS Health was notified and they contacted the third-party vendor in charge of securing the database.
Automated vulnerability reports generated by scanning tools are returning hundreds, if not thousands of vulnerabilities, and with a great deal of organizations reporting a lack of skilled cybersecurity professionals, teams are already stretched too thin to fix each one. In an effort to resolve this, developers and security professionals have traditionally relied on vulnerability scoring systems to help them prioritize the most critical flaws and streamline remediation efforts.
A team of researchers today unveiled two critical security vulnerabilities in Dell Wyse Thin clients that could have potentially allowed attackers to remotely execute malicious code and access arbitrary files on affected devices. The flaws, which were uncovered by healthcare cybersecurity provider CyberMDX and reported to Dell in June 2020, affects all devices running ThinOS versions 8.6 and below.