A stealthy remote access trojan (RAT) named ‘SeroXen’ has recently gained popularity as cybercriminals begin using it for its low detection rates and powerful capabilities. […]
Related Posts
Google Chrome 127 Released With Fix for Vulnerabilities that Lead to Browser Crash
Google Chrome 127 Released With Fix for Vulnerabilities that Lead to Browser Crash
Google has announced the release of Chrome 127, which is now available on the Stable channel for Windows, Mac, and Linux.
The new version, 127.0.6533.72/73 for Windows and Mac and 127.0.6533.72 for Linux, will be rolled out over the coming days and weeks. This update addresses multiple security vulnerabilities, including several high-risk issues that could lead to browser crashes.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Security Fixes and Rewards
The latest update includes 24 security fixes, with significant contributions from external researchers. While access to specific bug details and links may be restricted until a majority of users have updated, Google has highlighted several key fixes:
CVE-2024-6988: Use after free in Downloads, reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group, with a reward of $11,000.
CVE-2024-6989: Use after free in Loader, reported by an anonymous researcher, rewarded $8,000.
CVE-2024-6991: Use after free in Dawn, reported by wgslfuzz.
CVE-2024-6992: Out of bounds memory access in ANGLE, reported by Xiantong Hou of Wuheng Lab and Pisanbao.
CVE-2024-6993: Inappropriate implementation in Canvas, reported by an anonymous researcher.
CVE-2024-6994: Heap buffer overflow in Layout, reported by Huang Xilin of Ant Group Light-Year Security Lab, rewarded $8,000.
CVE-2024-6995: Inappropriate implementation in Fullscreen, reported by Alesandro Ortiz, rewarded $6,000.
CVE-2024-6996: Race in Frames, reported by Louis Jannett (Ruhr University Bochum), rewarded $5,000.
CVE-2024-6997: Use after free in Tabs, reported by Sven Dysthe (@svn-dys), rewarded $3,000.
CVE-2024-6998: Use after free in User Education, reported by Sven Dysthe (@svn-dys), rewarded $2,000.
CVE-2024-6999: Inappropriate implementation in FedCM, reported by Alesandro Ortiz, rewarded $2,000.
CVE-2024-7000: Use after free in CSS, reported by an anonymous researcher, rewarded $500.
CVE-2024-7001: Inappropriate implementation in HTML, reported by Jake Archibald.
These high-severity vulnerabilities could allow attackers to execute arbitrary code, cause browser crashes, or gain unauthorized access to sensitive information.
Additionally, several other vulnerabilities were addressed, ranging from medium to low severity, and the reporting researchers were rewarded accordingly.
Google’s internal security efforts also contributed to this release, with various fixes stemming from internal audits, fuzzing, and other initiatives. Tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL played crucial roles in identifying and mitigating these security issues.
Users are strongly encouraged to update their Chrome browsers to the latest version to benefit from these critical security fixes. Keeping the browser updated enhances security and ensures improved stability and performance.
Users can refer to the Chrome Security Page and the official release notes for more detailed information on the changes and security fixes included in this release.
As always, users who encounter any new issues with Chrome 127 are encouraged to report them through Google’s bug reporting system or seek assistance through the community help forum.
To check if your Chrome browser is updated to version 127, you can follow these steps:
Open Google Chrome on your device.
Click on the three-dot menu icon in the top-right corner of the browser window.
From the dropdown menu, select “Help” and then click on “About Google Chrome”.
A new tab will open showing your current Chrome version. If you’re on version 127, it will be displayed here.
Chrome will automatically check for updates when you’re on this page. If an update is available, it will download and install automatically.
After the update is complete, you may need to click “Relaunch” to apply the changes.
For specific devices:
On Android: Open Chrome, tap the three-dot menu, go to Settings > About Chrome > Application version.
On iOS: Open Chrome, tap the three-dot menu, go to Settings > Google Chrome to see the version number.
On Windows/Mac: The process is the same as described in steps 1-4 above.
Alternatively, you can type “chrome://version” in the Chrome address bar on any platform to see detailed version information.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
The post Google Chrome 127 Released With Fix for Vulnerabilities that Lead to Browser Crash appeared first on Cyber Security News.
“The mother of all breaches”: 26 billion records found online
“The mother of all breaches”: 26 billion records found online
Security researchers have discovered billions of exposed records online, calling it the “mother of all breaches”.
However, the dataset doesn’t seem to be from one single data breach, but more a compilation of multiple breaches. These sets are often created by data enrichment companies. Data enrichment is the process of combining first party data from internal sources with disparate data from other internal systems or third party data from external sources. Enriched data is a valuable asset for any organization because it becomes more useful and insightful.
The researchers stated:
“While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.”
In other news about leaked personal data, a cybercriminal going by the name of “emo” claims they have 15 million unique records of project management tool Trello accounts for sale.
Trello is used by many organizations, so it understandably raised some concerns.
Atlassian, the company that runs Trello, however denies there has been a breach. It seems as if someone has used a large collection of email addresses and tested it against Trello.
This brings us to the question: when do you call a giant leak of personal information a breach, and when don’t you?
A definition of a breach that makes sense to me is this one:
“A breach is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.”
So you might say that exposing of billions of records was a breach because it is unlikely the instance was left open on purpose. After all, that amount of data can be sold for a pretty penny.
And Atlassian can safely say it was not breached, since the criminals used an existing feature. Maybe in larger numbers than intended, but why admit you shouldn’t have allowed it?
Some people will say that a data breach can only be the result of a hack and everything else is a leak. If you look at it that way, neither one of the datasets came from a breach. One set was stumbled upon and the other was created by using a legitimate API.
But to those affected the end result is pretty much the same whether your data was leaked in a breach, accumulated by scraping, or gathered by a data enrichment company. Your information is out there in the open for every cybercriminal to use at their perusal.
If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
You might be surprised. Remember though that it’s not embarrassing to you if your email address was found in a breach, but it is good to know if it was and where a password may have been included.
If the passwords it throws up at you look familiar, it would be a good idea to change the password where you’ve used it, enable 2FA, and check if it’s been re-used for other accounts.
Scammers are very good at using information found in breaches in social engineering attacks. Even the fact that your data may have been leaked in a breach is something scammers will readily use to launch a phishing attack and see what more they can find out from you.
Last year, over 2,000 companies and government entities reported data breaches impacting over 400 million personal accounts. Set up Identity Monitoring to get alerts whenever your data is exposed in a new breach.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
Malwarebytes
Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts
Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts
Progress Software has rolled out updates to address a critical security flaw impacting the Telerik Report Server that could be potentially exploited by a remote attacker to bypass authentication and create rogue administrator users.
The issue, tracked as CVE-2024-4358, carries a CVSS score of 9.8 out of a maximum of 10.0.
“In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or Read More