Security News

Google's Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. As the data shows, the average period software vendors needed to issue security fixes reported by Project Zero last year was 52 days, down from 80 days three years ago.

Researchers from firmware protection company Binarly have discovered critical vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer. UEFI software is an interface between a device's firmware and the operating system, which handles the booting process, system diagnostics, and repair functions.

As many as 23 new high severity security vulnerabilities have been disclosed in different implementations of Unified Extensible Firmware Interface firmware used by numerous vendors, including Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo, among others. The vulnerabilities reside in Insyde Software's InsydeH2O UEFI firmware, according to enterprise firmware security company Binarly, with a majority of the anomalies diagnosed in the System Management Mode.

Cybersecurity researchers have detailed a high severity flaw in KCodes NetUSB component that's integrated into millions of end-user router devices from Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital, among others. KCodes NetUSB is a Linux kernel module that enables devices on a local network to provide USB-based services over IP. Printers, external hard drives, and flash drives plugged into a Linux-based embedded system are made available via the network using the driver.

A Vanson Bourne survey report highlights ransomware payout demands and extortion fees are massively increasing, while trust in legacy IT vendors has dipped and organizations are in fact getting slower at detecting cybersecurity incidents. "The survey presents an alarming picture of the modern threat landscape, demonstrating that adversaries continue to exploit organizations around the world and circumvent outdated technologies. Today's threat environment is costing businesses around the world millions of dollars and causing additional fallout," said Michael Sentonas, CTO at CrowdStrike.

Researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress. CISA warned vendors Thursday to patch these vulnerabilities after the security researchers released the proof of concept tool to test Bluetooth devices against BrakTooth exploits.

Law enforcement authorities arrested 150 suspects allegedly involved in selling and buying illicit goods on DarkMarket, the largest illegal marketplace on the dark web when it was taken down in January 2021. The arrests are the result of a coordinated international operation dubbed Dark HunTOR that lasted ten months and involved police forces and investigators from nine countries.

Cybersecurity Advisors Network, the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit. Peter Coroneos, CyAN international veep and leader of its new "Zero Day Legislative Project" told The Register the organisation recently staged a virtual meeting of 150-plus security researchers and the topic of aggressive legal responses to disclosures was high on their list of worries.

A large number of IoT systems could be exposed to remote hacker attacks due to serious vulnerabilities found in software development kits provided to device manufacturers by Taiwan-based semiconductor company Realtek. Firmware security company IoT Inspector said its researchers have identified more than a dozen vulnerabilities in SDKs provided by Realtek to companies that use its RTL8xxx chips.

A vulnerability within the Realtek RTL819xD module allows attackers to gain complete access to the device, installed operating systems and other network devices. The chips supplied by Realtek are used by almost all well-known manufacturers and can be found in VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls - just to name a few.