Security News

QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices. The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.

Moscow has set up its own certificate authority to issue TLS certs to Russians affected by sanctions or otherwise punished for president Putin's invasion of Ukraine. A notice on the government's unified public service portal states that the certificates will be made available to Russian websites unable to renew or obtain security certificates as a knock-on effect of Western sanctions and organizations refusing to support Russian customers.

Let's Encrypt, a non-profit organization that helps people obtain free SSL/TLS certificates for websites, plans to revoke a non-trivial number of its certs on Friday because they were improperly issued. In a post to the Let's Encrypt discussion community forum, site reliability engineer Jillian Tessa explained that on Tuesday, a third party reported "Two irregularities" in the code implementing the "TLS Using ALPN" validation method in Boulder, its Automatic Certificate Management Environment software.

As you can imagine, some classes of RCE bug are considered much more wormable than others, especially bugs that can be triggered directly via a simple network interaction. HTTP.sys is part of Windows and is available to any program that uses ASP.NET. HTTP.sys works on Windows 7 clients and later.

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022. The bug, tracked as CVE-2022-21907 and patched during this month's Patch Tuesday, was discovered in the HTTP Protocol Stack used as a protocol listener for processing HTTP requests by the Windows Internet Information Services web server.

Almost a third of the world wide web's top million sites are still not using HTTPS by default, according to infosec researcher Scott Helme's analysis. TLS v1.1 - which browser-maker Mozilla said it would actively block from March 2020 onwards - has completely disappeared from Helme's analysis, while v1.3 has spread from around 16 per cent of websites to 37 per cent of the million sites analysed, itself an increase of 129 per cent over the last 18 months.

In a paper distributed this month through ArXiv, they describe a HTTP protocol called HTTPS Attestable to enhance online security with remote attestation - a way for apps to obtain an assurance that data will be handled by trusted software in secure execution environments. "We propose a general solution to standardize attestation over HTTPS and establish multiple trusted connections to protect and manage requested data for selected HTTP domains," they say.

A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user.

A distributed denial-of-service attack earlier this year takes the top spot for the largest such incident, peaking at 17.2 million requests per second. The attack was recorded by Cloudflare's DDoS protection systems and accounted for almost 70% of all average rate for legitimate HTTP traffic for the second quarter of 2021.

This change builds on the inclusion of default blocks for cross-site tracking in private browsing, first introduced after Total Cookie Protection was released with Firefox 86 in February. Enhanced Cookie Clearing is triggered automatically whenever you're clearing cookies and other site data after enabling Strict Tracking Protection.