Security News

Zabbix urges upgrades after critical SQL injection bug disclosure
2024-11-29 17:44

US agencies blasted 'unforgivable' SQLi flaws earlier this year Open-source enterprise network and application monitoring provider Zabbix is warning customers of a new critical vulnerability that...

Oracle warns of Agile PLM file disclosure flaw exploited in attacks
2024-11-19 19:56

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was actively exploited as a zero-day to download files. [...]

SEC fines tech companies for misleading SolarWinds disclosures
2024-10-25 12:06

The Securities and Exchange Commission charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with...

SEC Charges 4 Companies Over Misleading SolarWinds Cyber Attack Disclosures
2024-10-25 09:36

The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies for making "materially misleading disclosures" related to the large-scale cyber attack that...

Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures
2024-10-22 16:31

Unisys, Avaya, Check Point, and Mimecast settled with the agency without admitting or denying wrongdoing Four high-profile tech companies reached an agreement with the Securities and Exchange...

Jetpack fixes critical information disclosure flaw existing since 2016
2024-10-14 19:30

WordPress plugin Jetpack released a critical security update earlier today, addressing a vulnerability that allowed a logged-in user to access forms submitted by other visitors to the site. [...]

ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu
2024-07-15 15:00

Exclusive A Microsoft zero-day exploit that Trend Micro's Zero Day Initiative team claims it found and reported to Redmond in May was disclosed and patched by the Windows giant in July's Patch Tuesday - but without any credit given to ZDI. The flaw, tracked as CVE-2024-38112, is in MSHTML - Microsoft's proprietary browser engine for Internet Explorer. This entire series of unfortunate events not only highlights problems with Microsoft's bug reporting program, but also the coordinated vulnerability disclosure process in general, according to Childs.

Six months of SEC’s cyber disclosure rules
2024-06-12 03:00

In this Help Net Security video, Mark Millender, Senior Advisor of Global Executive Engagement at Tanium, discusses the overall sentiment from CISOs of large, public companies on the effectiveness and understanding of SEC's cyber disclosure rules and common misconceptions and gray areas to watch for. Learn what C-suite leaders can expect from the cyber disclosure rules in the next 6-12 months based on feedback, effectiveness, and guidance from industry peers.

JetBrains TeamCity under attack by ransomware thugs after disclosure mess
2024-03-07 16:34

Security researchers are increasingly seeing active exploit attempts using the latest vulnerabilities in JetBrains' TeamCity that in some cases are leading to ransomware deployment. Christiaan Beek, senior director of threat analytics at Rapid7, noted on AttackerKB that both TeamCity vulnerabilities were spotted being exploited in the wild.

Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'
2024-03-05 13:15

Security shop Rapid7 is criticizing JetBrains for flouting its policy against silent patching regarding fixes for two fresh vulnerabilities in the TeamCity CI/CD server. According to the cybersecurity company, it replied by saying it wouldn't agree to swift disclosure, and pointed JetBrains to its policy against silently patching vulnerabilities, which stipulates that if companies violate that policy, Rapid7 will itself release the full details of the vulnerability, including enough information to allow people to develop exploits, within 24 hours.