In the Security News FreeBSD and the software supply chain, open-source implies that its open, hardcoded passwords are always bad, on-again, off-again, on-again, privilege escelation defined, preparing for quantum, so many vulnerabilities, CosmicStrand another UEFI firmware rootkit, & reviving ancient computers!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Executive Director at RM-ISAO
Product Security Research and Analysis Director at Finite State
Atlassian disclosed several vulnerabilities, including a hard-coded password issue affecting the Questions for Confluence app. Atlassian has since reported that the password has been leaked online, which makes patching the app even more urgent.
Email: [email protected]
Update Questions for Confluence app ver 2.7.x >= 2.7.38 or > 3.0.5
In addition to fixing almost 40 flaws, Apple has addressed a memory corruption vulnerability (CVE-2022-2294) impacting its WebRTC component, which was disclosed by Google last week as part of its release of software fixes for iOS, iPadOS, tvOS, and WatchOS.
SonicWall has released "urgent patches" to address a critical vulnerability (CVE-2022-22280) impacting Global Management System (GMS) installations before 9.3.1-SP2-Hotfix-2 that could be exploited by remote, unauthenticated attackers to send a specially crafted request to the impacted application and execute arbitrary SQL commands in the applications database.
The "CosmicStrand" Windows firmware rootkit is reportedly being used in attacks targeting the Unified Extensible Firmware Interface (UEFI) in order to remain undetected and maintain persistence on targeted systems.
Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system. default policy for Windows 11 builds – particularly, Insider Preview builds 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 invalid sign-in attempts.
The Filewave mobile device management suite had a pair of vulnerabilities which security researchers have shown could let attackers push malware out as a phone update or obtain access to enterprise networks.
Entrust has revealed it suffered a June 18, 2022, "cyberattack" during which hackers managed to breach its network and steal data, which could affect an array of critical and sensitive organizations using Entrust solutions for authentication and identity management.
In this segment, featuring guest Amer Deeba, we'll explore how the SEC's new breach reporting rules will affect companies. We've got a ton of questions: What behavior has to change? What additional preparation needs to take place? How does this rule affect data security? How does it affect crisis communications?
And most importantly, when is an in...
Matt Coose is the founder and CEO of cybersecurity compliance firm Qmulos, previously the director of Federal Network Security for the National Cyber Security Division of the (DHS).
CISOs carry the ultimate burden and weight of compliance and reporting and are often the last buck. Says Coose, best-of-breed is better described as best-to-bleed-the-...