Security News

Cisco this week announced the availability of patches for a high-severity vulnerability in AnyConnect Secure Mobility Client that could be exploited for code execution. Initially disclosed in November 2020, the flaw affects the interprocess communication channel of the secure VPN application and could be abused by a local attacker to cause an AnyConnect user to run a malicious script.

IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him. What happened next united infosec professionals across the world as well as triggering a crowdfundraiser and a behind-the-scenes legal war: we're told Apperta sent Dyke legal demands, and followed those up by alleging to the cops that he broke Britain's computer security laws.

The United States Department of Defense this week announced an expansion of the scope of its vulnerability disclosure program to include all of its publicly accessible information systems. The program has been running on HackerOne since 2016 when the DOD's Hack the Pentagon initiative was launched and provides security researchers with means to engage with the DOD when they identify vulnerabilities in the department's public-facing websites and applications.

US Department of Defense officials today announced that the department's Vulnerability Disclosure Program has been expanded to include all publicly accessible DOD websites and applications. DOD's VDP is led by the Department of Defense Cyber Crime Center, and it allows security researchers to search for and report any vulnerabilities affecting public-facing DOD information systems.

Google Project Zero will now give organizations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week aimed at speeding up the time it takes for patches to be adopted. Now research group is changing this tactic slightly, saying it will delay disclosure of the technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period, according to a blog post by Project Zero's Tim Willis posted Thursday.

Google's Project Zero cybersecurity research unit on Thursday announced that it's making some changes to its vulnerability disclosure policies, giving users 30 days to install patches before disclosing the technical details of a flaw. Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020.

April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency. "This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post.

The United States Department of Defense this week announced the launch of a new vulnerability disclosure program on HackerOne to identify vulnerabilities in Defense Industrial Base contractor networks. Running as a pilot, the Defense Industrial Base Vulnerability Disclosure Program covers participating DoD contractor partner's information systems and web properties, as well as other assets within scope, and is separate from the DoD vulnerability disclosure program that already runs on HackerOne.

Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files. On Thursday QNAP released TS-231 firmware version 4.3.6.1620, which addresses a command injection vulnerability and a vulnerability in Apache HTTP server.

GRIMM announced the launch of the company's new Private Vulnerability Disclosure program. This offering allows defenders to get ahead of the attack curve, instead of reacting to unknown threats, by providing previously unknown vulnerabilities.