Security News

FIRST releases updated coordination principles for Multi-Party Vulnerability Coordination and Disclosure
2020-05-11 04:30

The Forum of Incident Response and Security Teams has released an updated set of coordination principles - Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1. Previous best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination.

Cometdocs Threatens Legal Action Over Disclosure of Security Issues
2020-02-20 14:12

Cometdocs has disputed the severity of the findings and has threatened legal action against reporters if they publish what the company considers to be inaccurate articles. "The Cometdocs applications are transferring files without using encryption, providing bad actors the opportunity to cache and retrieve the files. Moreover, a man-in-the-middle attacker could access the files while 'sniffing' traffic on the same Wi-Fi network as the user. Because the Cometdocs apps do not use encryption when transmitting and storing files on its servers, they are allowing private information to leak into the hands of third-parties monitoring the network," Wandera said.

The challenges of cyber research and vulnerability disclosure for connected healthcare devices
2020-02-18 06:30

As Head of Research at CyberMDX, Elad Luz gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. Care critical devices that are directly connected to patients like infusion pumps, ventilation, anesthesia, patient monitoring and such obviously represent the most critical endpoints from a security perspective.

Vulnerabilities in Mini-SNMPD Lead to DoS, Information Disclosure
2020-02-04 15:45

Vulnerabilities recently patched in Mini-SNMPD could be abused for denial-of-service attacks or to obtain sensitive information, Cisco Talos' security researchers report. It works on both x86 and ARM platforms running Ubuntu, Alpine Linux, and FreeBSD. Talos' researchers discovered a total of three vulnerabilities in Mini-SNMPD, including two out-of-bounds read bugs and one stack overflow.

Changing the Disclosure Shame Culture
2020-02-04 12:51

Security teams gain snippets of insight from defensive failures through public breach disclosures or the investigative reporting that follows large-scale and brand-name hacks. Upon "Going dark" after a breach detection, the security products vendors used within the compromised environment are similarly shut out - at precisely the time they can potentially add the most value to both the victim and the wider defensive ecosystem.

Cisco Patches DoS, Information Disclosure Flaws in Small Business Switches
2020-01-30 14:03

Cisco this week informed customers that some of its Small Business Switches are affected by high-severity vulnerabilities that can be exploited to obtain sensitive device information and to launch denial-of-service attacks. The information disclosure vulnerability is caused by the lack of proper authentication controls and it can be exploited by sending specially crafted HTTP requests to the user interface of an affected switch.

Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
2020-01-08 20:10

The more notable part of the announcement is Project Zero's decision to wait to disclose bug details until 90 days elapses, even if a patch becomes available before then. "For the last five years, the team has used its vulnerability disclosure policy to focus on one primary goal: Faster patch development," explained Willis, in a posting on Tuesday on the policy changes.

Google Project Zero Updates Vulnerability Disclosure Policy
2020-01-08 18:27

Google's Project Zero has updated its vulnerability disclosure policy to keep bug reports closed for 90 days, regardless of whether a patch is out before the deadline or not. The goal of this new policy, Google Project Zero's Tim Willis notes, goes beyond just attempting to speed up patching: thorough patch development and improved patch adoption are also a focus.

Blunt the Effect of the Two-Edged Sword of Vulnerability Disclosures
2019-12-10 20:29

When Hackers and Vendors Both Benefit, Your System May be the Biggest Loser read more

Moxa Addresses Industrial AP Vulnerabilities Several Months After Disclosure
2019-12-05 13:57

Moxa Urges Users to Replace Discontinued Industrial AP Filled With Security Holes read more