The maintainers of Python Package Index (PyPI), the official third-party software repository for the Python programming language, have temporarily disabled the ability for users to sign up and upload new packages until further notice.
“The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, Read More
Related Posts
2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
[[{“value”:”
Mozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser.
The Pwn2Own Vancouver 2024 hacking competition was held this week, and Trend Micro’s Zero Day Initiative (ZDI) revealed that participants received $1,132,500 for exhibiting 29 distinct zero-days.
The competition’s winner, researcher Manfred Paul (@_manfp), exploited two critical vulnerabilities, such as CVE-2024-29944 and CVE-2024-29943.
Document
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
Manfred Paul (@_manfp) accomplished his Mozilla Firefox sandbox escape by using an OOB Write (CVE-2024-29943) for the RCE and an exposed dangerous function bug (CVE-2024-29944).
He gains an additional $100,000 in addition to 10 Master of Pwn points, putting him ahead of the lead with 25 points.
Finally, Manfred Paul has been granted the title of Pwn Master. In all, he earned $202,500 and 25 points.
Details Of The Security Flaws Patched
CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass
According to Mozilla, an attacker might deceive range-based bounds check elimination and execute an out-of-bounds read or write on a JavaScript object.
Firefox < 124.0.1 is vulnerable to this attack.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination”, Mozilla said in its advisory.
CVE-2024-29944: Privileged JavaScript Execution via Event Handlers
To enable arbitrary JavaScript execution in the parent process, an attacker was able to inject an event handler into a privileged object.
This vulnerability only affects desktop versions of Firefox; mobile versions are unaffected.
“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”, Mozilla said.
Patch Released
Mozilla published Firefox 124.0.1 and Firefox ESR 115.9.1 to address both security issues.
These flaws highlight how crucial it is to keep up strict security procedures and apply software updates as soon as they are made available.
By updating to Firefox 124.0.1, users can ensure they are safe from these critical vulnerabilities and any related risks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post 2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Patch now! Roundcube mail servers are being actively exploited
Patch now! Roundcube mail servers are being actively exploited
[[{“value”:”
The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 4, 2024, in order to protect their devices against active threats. We urge other Roundcube Webmail users to take this seriously too.
Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple different devices, and it’s why when you read an email on your laptop it’s marked as “read” on your phone too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them situated in the US and China.
The affected versions are Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. An update to patch the vulnerability with version 1.6.3 has been available since September 15, 2023. The current version, 1.6.6 at the time of writing, does not have the vulnerability either.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:
CVE-2023-43770, which is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information.
XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. Persistent, or stored XSS, is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server.
This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.
In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
“}]] Read More
Malwarebytes
Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft
Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft
Threat actors have been observed abusing the open source Cloudflare Tunnel tool Cloudflared to maintain stealthy, persistent access to compromised systems.
The post Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft appeared first on SecurityWeek.
SecurityWeek RSS Feed