Security News

The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open...

Researchers from firmware protection company Binarly have discovered critical vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer. UEFI software is an interface between a device's firmware and the operating system, which handles the booting process, system diagnostics, and repair functions.

A number of security vulnerabilities have been disclosed in 42 Gears' SureMDM device management solution that could be weaponized by attackers to perform a supply chain compromise against affected organizations. The India-based company's SureMDM is a cross-platform mobile device management service that allows enterprises to remotely monitor, manage, and secure their fleet of company-owned machines and employee-owned devices.

Microsoft says threat and vulnerability management support for Android and iOS has reached general availability in Microsoft Defender for Endpoint, the company's enterprise endpoint security platform."Threat and vulnerability management in Microsoft Defender for Endpoint continuously monitors and identifies impacted devices, assesses associated risks in the environment, and provides intelligent prioritization and integrated workflows to seamlessly remediate vulnerabilities."

The US Cybersecurity & Infrastructure Security Agency has added eight more flaws to its catalog of exploited vulnerabilities that are known to be used in attacks, and they're a mix of old and new. The goal of publishing these vulnerabilities is to raise awareness and remind federal organizations of their obligation to apply security updates by a specified strict deadline.

The United Kingdom's National Cyber Security Centre, the government agency that leads UK's cyber security mission, is releasing NMAP Scripting Engine scripts to help defenders scan for and remediate vulnerable systems on their networks. The scripts, authored by i100 partners or security experts who want to share their scripts with the community, will be published on GitHub through a new project named Scanning Made Easy.

This week, the Cybersecurity and Infrastructure Security Agency added seventeen actively exploited vulnerabilities to the 'Known Exploited Vulnerabilities Catalog. The 'Known Exploited Vulnerabilities Catalog' is a list of vulnerabilities that have been seen abused by threat actors in attacks and that are required to be patched by Federal Civilian Executive Branch agencies.

Toronto-based Citizen Lab has warned that an app required by Beijing law to attend the 2022 Olympics contains vulnerabilities that can leak calls and data to malicious users, as well as the potential to subject the user to scanning for censored keywords. The playbooks [PDF], which are documents that serve as info guides for Olympics-goers, instruct international visitors to download the app and use it to monitor health for 14 days prior to their departure for China.

After a banner year for vulnerabilities and cyberattacks in 2021, organizations believe they are fighting a "Losing battle" against security vulnerabilities and threats, "Despite the billions of dollars spent collectively on cybersecurity technology," according to an annual security report from Bugcrowd. The 2022 report-which compiles data from the company's activity over the year-highlights some of the top trends in terms of vulnerabilities that organizations reported in 2021 as well as the types of attacks that occurred most prevalently.

Google has rolled out the first round of updates to its Chrome web browser for 2022 to fix 37 security issues, one of which is rated Critical in severity and could be exploited to pass arbitrary code and gain control over a victim's system. Security researcher Yangkang of Qihoo 360 ATA, who has previously disclosed zero-day vulnerabilities in Apple's WebKit, has been credited with discovering and reporting the flaw on November 30, 2021.