Security News

Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack. Impacted is Zend Framework version 3.0.0 and Laminas Project laminas-http before 2.14.2, with an estimated "Several million websites" using the framework and possibly impacted.

An untrusted deserialization vulnerability has been disclosed this week in how Zend Framework can be exploited by attackers to achieve remote code execution on vulnerable PHP sites. "Zend Framework 3.0.0 has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the destruct method of the ZendHttpResponseStream class in Stream.php," states MITRE's advisory for CVE-2021-3007.

Managing and securing AD and AAD with a dynamic zero trust approach is critical to success, and can help businesses improve their overall security posture to address the reality, as evidenced in other studies, that show 80 percent of breaches involve compromised or weak administrative credentials. "With 95 percent of global Fortune 1000 companies relying on Active Directory to manage their users' access, and the swift move toward Azure and cloud adoption, it becomes a natural starting point for businesses looking to implement a zero trust security model," said Bhagwat Swaroop, president and general manager, One Identity.

To help tech professionals get a stronger grasp on the important technology and how to leverage it within their own organizations, ISACA has released two new resources: Blockchain Framework and Guidance and Blockchain: An Executive View. Blockchain Framework and Guidance offers a comprehensive blockchain reference, including overview, history, information about types and their benefits and features, as well as use cases and a framework for enterprise adoption.

VMware unveiled the Modern Network framework to enable businesses, and their IT and application development teams, to accelerate adapting to a new normal. The Modern Network framework takes a top-down view, creating a network that understands the needs of the application and programmatically managing infrastructure to meet those needs.

McAfee announced the launch of MVISION Marketplace, MVISION API and MVISION Developer Portal, part of the MVISION platform that will allow customers to quickly and easily integrate McAfee and trusted Security Innovation Alliance partner applications as well as privately developed applications within their current security environment. The newly launched open API framework enables organizations to respond faster to threats while reducing total cost of operations by automating MVISION Platform capabilities and integrating with their IT and security operations.

Microsoft, in collaboration with MITRE, IBM, NVIDIA, and Bosch, has released a new open framework that aims to help security analysts detect, respond to, and remediate adversarial attacks against machine learning systems. Just as artificial intelligence and ML are being deployed in a wide variety of novel applications, threat actors can not only abuse the technology to power their malware but can also leverage it to fool machine learning models with poisoned datasets, thereby causing beneficial systems to make incorrect decisions, and pose a threat to stability and safety of AI applications.

International Data Corporation published a new assessment of eleven companies offering the tools and frameworks for developing advanced machine learning models and solutions. The eleven advanced machine learning platform providers evaluated in this MarketScape report are: Alteryx, Amazon Web Services, Cloudera, Dataiku, DataRobot, Google, H2O.ai, IBM, MathWorks, Microsoft, and SAS. Advanced machine learning platforms provide a range of ML methods primarily working with structured and semi-structured data to create predictive and prescriptive models that are then used in applications.

Success in the digital economy requires organizations to move beyond a traditional, cost-sensitive view of infrastructure and adopt a broader recognition that a responsive, scalable, and resilient cloud-centric infrastructure will help drive revenue while aligning technology adoption and IT operational governance with positive business outcomes. The transition to a cloud-centric digital infrastructure, which is already underway within many organizations, depends upon commitment to a digital strategy accompanied by a new set of key performance indicators focused on resource optimization, consistent resilience, and continual enhancement.

Microsoft on Tuesday announced the release of Project OneFuzz, an open source fuzzing framework for Azure that the tech giant has been using internally for the past year to find and patch bugs. Project OneFuzz, which Microsoft describes as an extensible fuzz testing framework, is designed to address some of the challenges typically associated with fuzzing, enabling developers to conduct this type of testing themselves and allowing security engineers to focus on other important tasks.