Security News

We need to face that reality by halting the purchase of insecure weapons and support systems and by incorporating the realities of offensive cyberattacks into our military planning. Military computers, whether they're embedded inside weapons systems or on desktops managing the logistics of those weapons systems, are similarly vulnerable.

Researchers have discovered 10 vulnerabilities - a majority rated critical or high severity - in CODESYS industrial automation software that is used in many industrial control system products. Researchers at Russian cybersecurity company Positive Technologies identified the vulnerabilities in various products made by CODESYS. They initially found the flaws in a programmable logic controller made by WAGO, but further analysis showed that the issues were actually introduced by CODESYS software that is used by more than a dozen manufacturers for their PLCs, including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian firms.

Researchers have identified 10 vulnerabilities in CODESYS automation software for industrial control systems. "The vendor rated some of these vulnerabilities as 10 out of 10, or extremely dangerous. Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses," said Vladimir Nazarov, Head of ICS Security at Positive Technologies.

Major software vulnerabilities are a fact of life, as illustrated by the fact that Microsoft has patched between 55 and 110 vulnerabilities each month this year - with 7% to 17% of those vulnerabilities being critical. The problem is that the critical vulnerabilities are things we have seen for many years, like remote code execution and privilege escalation.

Cisco's Talos threat intelligence and research unit on Wednesday disclosed the details of several SMB-related vulnerabilities patched recently by Apple in its macOS operating system. Apple's own SMB stack is called SMBX. Talos disclosed seven vulnerabilities found in SMBX server components and also detailed the process it used to identify them.

Industrial switches provided by several vendors are affected by the same vulnerabilities due to the fact that they share firmware made by Taiwan-based industrial networking solutions provider Korenix Technology. The firmware developed by Korenix for its JetNet industrial switches is also used by Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches.

The FBI on Thursday published indicators of compromise associated with the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. In early April, the FBI along with the Cybersecurity and Infrastructure Security Agency warned that threat actors had been targeting serious security holes in Fortinet's flagship operating system FortiOS for initial access into victims' networks.

Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say. Generally considered secure, VS Code extensions could expose millions of developers to malicious attacks, potentially leading to the compromise of information stored on developer machines, such as credentials, or even opening the route to further attacks.

Siemens on Tuesday released an advisory to inform customers about several high-severity vulnerabilities affecting its Solid Edge product. The vulnerabilities were discovered in Siemens Solid Edge last year by security researcher Andrea Micalizzi, who has identified many vulnerabilities in industrial systems over the past years.

Automated testing and rapid deployment are critical to defending against vulnerabilities in open source software, said David Wheeler, director of Open Source Supply Chain Security at the Linux Foundation. Wheeler referenced a 2021 report by software security and IoT company Synopsys which said there are an average of 528 open source components per application, that 84 per cent of codebases have at least one vulnerability, and the average number of vulnerabilities per codebase is 158.