Security News
Though most of the EO is aimed at government agencies, vendors and developers will have to design all of their products with a greater focus on security, according to Finite State. With ransomware attacks increasingly impacting businesses, government agencies and critical infrastructure, President Joe Biden last week signed an executive order designed to shore up the nation's cyber security.
Impacted vendors have released security advisories in response to the recently disclosed Wi-Fi vulnerabilities collectively tracked as FragAttacks. A dozen CVE identifiers have been assigned to the FragAttacks flaws discovered last year by researcher Mathy Vanhoef, including three for design flaws and nine for implementation flaws.
Some 73% of companies prefer to purchase from technology providers that are transparent and proactive in helping organizations manage their cybersecurity risk, a study released Monday by Intel finds. "Security doesn't just happen. If you are not finding vulnerabilities, then you are not looking hard enough," said Suzy Greenberg, vice president of Intel product assurance and security, in a statement.
Microsoft and several major cybersecurity companies have responded to a researcher's disclosure of a method for remotely disabling their antivirus products by leveraging the Windows safe mode. Researcher Roberto Franceschetti last week published an advisory, a blog post, a video and proof-of-concept exploits demonstrating a method that could be used by an attacker to disable anti-malware products from Microsoft, Avast, Bitdefender, F-Secure and Kaspersky.
The "State of Third Party Risk Management" report surveyed 154 third-party risk management professionals and found that they assess a median of 50 vendors each year, with most enterprises reporting having a TPRM program for about five to six years. "In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide," said Kelly White, CEO and co-founder of RiskRecon.
Industrial control system firms Real Time Automation and Paradox both warned of critical vulnerabilities Tuesday that opened systems up to remote attacks by adversaries. RTA, which describes itself as providing industrial control systems for manufacturing and building automation, posted information regarding the vulnerability on Oct. 27.
A vulnerability identified recently by researchers at storage giant Western Digital in the Replay Protected Memory Block protocol impacts the products of several other major companies, including Google, Intel and MediaTek. The RPMB feature is designed to protect devices against replay attacks by providing an authenticated and protected area for storing data that ensures each message is unique and cannot be replayed.
NVIDIA on Wednesday released patches to address a total of nine vulnerabilities impacting NVIDIA DGX servers. The vulnerabilities were reported to NVIDIA by members of the SCADA StrangeLove project, which focuses on ICS/SCADA security, as part of their research into machine learning infrastructure vulnerabilities.
IoT Security Foundation unveils online platform to help IoT vendors report and manage vulerabilities
An online platform designed to help IoT vendors receive, assess, manage and mitigate vulnerability reports has been launched by the IoT Security Foundation. VulnerableThings.com aims to simplify the reporting and management of vulnerabilities whilst helping IoT vendors comply with new consumer IoT security standards and regulations.
A researcher at privileged access management solutions provider CyberArk has discovered vulnerabilities in the products of 10 cybersecurity vendors. The research focused on vulnerabilities that can allow an attacker or a piece of malware to escalate privileges using symlink attacks or DLL hijacking.