Security News

CISA urges devs to weed out OS command injection vulnerabilities
2024-07-10 18:02

CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping. "OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS," today's joint advisory explains.

Devs claim Apple is banning VPNs in Russia 'more effectively' than Putin
2024-07-05 21:27

Red Shield VPN, which is focused on providing its services to Russian users, claims it received a note from Apple that says its VPN was removed from the Russian App Store. The email, which the VPN operator shared on X, says Cupertino had to remove the app from the App Store in Russia since the software did not "Conform with all local laws." This is after the Kremlin had apparently spent years trying technological approaches to block the use of the VPN. "Apple's actions, motivated by a desire to retain revenue from the Russian market, actively support an authoritarian regime," Red Shield said in a statement.

CISA urges software devs to weed out path traversal vulnerabilities
2024-05-02 19:38

CISA and the FBI urged software companies today to review their products and eliminate path traversal security vulnerabilities before shipping. Attackers can exploit path traversal vulnerabilities to create or overwrite critical files used to execute code or bypass security mechanisms like authentication.

What can be done to protect open source devs from next xz backdoor drama?
2024-04-06 16:12

Your profile can be used to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests. Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services, possible interests and personal aspects.

AI hallucinates software packages and devs download them – even if potentially poisoned with malware
2024-03-28 07:01

According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions. Lanyado did so to explore whether these kinds of hallucinated software packages - package names invented by generative AI models, presumably during project development - persist over time and to test whether invented package names could be co-opted and used to distribute malicious code by writing actual packages that use the names of code dreamed up by AIs.

CISA urges software devs to weed out SQL injection vulnerabilities
2024-03-25 18:26

CISA and the FBI urged executives of technology manufacturing companies to prompt formal reviews of their organizations' software and implement mitigations to eliminate SQL injection security vulnerabilities before shipping.In SQL injection attacks, threat actors "Inject" maliciously crafted SQL queries into input fields or parameters used in database queries, exploiting vulnerabilities in the application's security to execute unintended SQL commands, such as exfiltrating, manipulating, or deleting sensitive data stored in the database.

GitHub Launches AI-Powered Autofix Tool to Assist Devs in Patching Security Flaws
2024-03-21 10:30

GitHub on Wednesday announced that it's making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort...

White House urges devs to switch to memory-safe programming languages
2024-02-26 21:34

The White House Office of the National Cyber Director urged tech companies today to switch to memory-safe programming languages, such as Rust, to improve software security by reducing the number of memory safety vulnerabilities. Such vulnerabilities are coding errors or weaknesses within software that can lead to memory management issues when memory can be accessed, written, allocated, or deallocated.

Raspberry Robin devs are buying exploits for faster attacks
2024-02-08 17:15

Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks. An exploit developer is thought by infosec pros to be either on the Raspberry Robin payroll or a close contact that sells them to the group - most likely the latter.

'everything' blocks devs from removing their own npm packages
2024-01-04 09:55

Since these 3,000+ packages manage to include every single npm package on the registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy. Everything prevents you from unpublishing your packages.