Security News

Infosec in brief Cybersecurity researchers informed Microsoft that Notorious North Korean hackers Lazarus Group discovered the "Holy grail" of rootkit vulnerabilities in Windows last year, but Redmond still took six months to patch the problem. Avast claims Lazarus Group used the vulnerability to obtain read/write primitive on the Windows kernel and install their FudModule rootkit, but Microsoft's opinion on the severity of admin-to-kernel exploits meant it didn't prioritize the matter, waiting until February's patch Tuesday to fix the issue, which it tagged as CVE-2024-21338, with a CVSS score of 8/10. "Some Windows components and configurations are explicitly not intended to provide a robust security boundary," Microsoft states on its Security Servicing criteria page.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting JetBrains TeamCity On-Premises software to its Known Exploited Vulnerabilities...

Security shop Rapid7 is criticizing JetBrains for flouting its policy against silent patching regarding fixes for two fresh vulnerabilities in the TeamCity CI/CD server. According to the cybersecurity company, it replied by saying it wouldn't agree to swift disclosure, and pointed JetBrains to its policy against silently patching vulnerabilities, which stipulates that if companies violate that policy, Rapid7 will itself release the full details of the vulnerability, including enough information to allow people to develop exploits, within 24 hours.

A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the...

Cybersecurity researchers have found that it's possible to compromise the Hugging Face Safetensors conversion service to ultimately hijack the models submitted by users and result in supply chain...

A critical security flaw has been disclosed in a popular WordPress plugin called Ultimate Member that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071,...

Details have emerged about a now-patched high-severity security flaw in Apple's Shortcuts app that could permit a shortcut to access sensitive information on the device without users' consent. The...

CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. The tool leverages the correlation between CVSS and EPSS scores to improve efforts in fixing vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)...

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting...