Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari
Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a zero-day flaw that it said has been actively exploited in the wild.
The WebKit bug, cataloged as CVE-2023-37450, could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks Read More
The Hacker News | #1 Trusted Cybersecurity News Site
ChatGPT for Vulnerability Detection – Prompts Used and their Responses
Software vulnerabilities are essentially errors in code that malicious actors can exploit. Advanced language models such as CodeBERT, GraphCodeBERT, and CodeT5 can detect these vulnerabilities, provide detailed analysis assessments, and even recommend patches to address them.
These models have proven to be highly effective in identifying and mitigating software vulnerabilities, making them an essential tool for any organization looking to enhance their security posture.
A tool named AIBugHunter in VSCode uses these models for adequate software security.
API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.
While ChatGPT and other large language models excel in code-related tasks, no comprehensive studies have assessed their potential for the entire vulnerability workflow, including-
Detection
Type explanation
Severity estimation
Repair suggestions
Recently, the following cybersecurity researchers from Monash University, Clayton, Australia, have explored ChatGPT’s use in software vulnerability tasks, including prediction, classification, and smart contract correction:-
Michael Fu
Chakkrit (Kla) Tantithamthavorn
Van Nguyen
Trung Le
Some previous studies examined large language models in automated program repair but not the latest ChatGPT versions.
ChatGPT Vulnerability Detection
Cybersecurity researchers analyzed the ability of ChatGPT for the following four vulnerability prediction tasks:-
Function and line-level software vulnerability prediction (SVP)
Software vulnerability classification (SVC)
Severity estimation
Automated vulnerability repair (APR)
ChatGPT’s 1.7 trillion parameters vastly exceed those of source code-oriented models like CodeBERT, making prompt-based usage essential. Fine-tuning for vulnerability tasks isn’t possible due to ChatGPT’s proprietary parameters.
An example prompt for function and line-level vulnerability prediction (Source – Arxiv)
Security analysts evaluate ChatGPT (get-3.5-turbo and gpt-4) against code-specific models.
They compared it with AIBugHunter, CodeBERT, GraphCodeBERT, and VulExplainer on four vulnerability tasks using Big-Vul and CVEFixes datasets, addressing four research questions.
Here, we have mentioned all four research questions below, along with their respective results:-
(RQ1) How accurate is ChatGPT for function and line-level vulnerability predictions?
Results: ChatGPT achieves F1-measure of 10% and 29% and top-10 accuracy of 25% and 65%, which are the lowest compared with other baseline methods.
(RQ2) How accurate is ChatGPT for vulnerability type classification?
Results: ChatGPT achieves the lowest multiclass accuracy of 13% and 20%, 45%-52% lower than the best baseline.
(RQ3) How accurate is ChatGPT for vulnerability severity estimation?
Results: ChatGPT gave the most inaccurate severity estimation with the highest mean squared error (MSE) of 5.4 and 5.85, while other baseline methods achieved MSE of 1.8 to 1.86.
(RQ4) How accurate is ChatGPT for automated vulnerability repair?
Results: ChatGPT failed to generate correct repair patches, while other baselines correctly repaired 7%-30% of vulnerable functions.
Prompt for CWE-ID classification (Source – Arxiv)
ChatGPT didn’t produce correct repair patches, whereas fine-tuned baselines repaired 7%-30%. BLEU and METEOR scores confirm baseline patches are closer to true ones.
This highlights the challenge of vulnerability repair, suggesting ChatGPT requires domain-specific fine-tuning.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023
About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year.
According to data compiled by SynSaber, a total of 670 ICS product flaws were reported via the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the first half of Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Inside Operation Diplomatic Specter: Chinese APT Group’s Stealthy Tactics Exposed
Governmental entities in the Middle East, Africa, and Asia are the target of a Chinese advanced persistent threat (APT) group as part of an ongoing cyber espionage campaign dubbed Operation Diplomatic Specter since at least late 2022.
“An analysis of this threat actor’s activity reveals long-term espionage operations against at least seven governmental entities,” Palo Alto Networks Read More