S Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days. Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company’s Synology Photos and BeePhotos for BeeStation software. As Synology explains in security Read more about Synology and QNAP hurry out patches for zero-days exploited at Pwn2Own[…]

Some of the world’s most prominent leaders’ movements were tracked online through a fitness app used by their bodyguards, an investigation has suggested A report by French newspaper Le Monde said several US Secret Service agents use the Strava fitness app, which has revealed highly confidential movements of US president Joe Biden, presidential rivals Donald Read more about Fitness apps (Strava) still giving away locations of world leaders including Trump, Putin and Macron[…]

A nasty bug in Samsung’s mobile chips is being exploited by miscreants as part of an exploit chain to escalate privileges and then remotely execute arbitrary code, according to Google security researchers. The use-after-free vulnerability is tracked as CVE-2024-44068, and it affects Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920. It Read more about Samsung phones being attacked by flaw. Use the Oct 7 update![…]

It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What’s notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement … […] Apple famously refused the FBI’s request to Read more about Chinese 3x ISP hack shows why world is right about security backdoors and politicians and security people who want them are idiots[…]

In this week’s Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC. The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details Read more about More details on that Windows Installer ‘make me admin’ hole[…]

Security flaws in your computer’s firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular Read more about ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections[…]

More than 384,000 websites are linking to a site that was caught last week performing a supply-chain attack that redirected visitors to malicious sites, researchers said. For years, the JavaScript code, hosted at polyfill[.]com, was a legitimate open source project that allowed older browsers to handle advanced functions that weren’t natively supported. By linking to Read more about 384,000 sites still pulling code from sketchy polyfill.io code library recently bought by Chinese firm[…]

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting “almost every Apple device.” E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications Read more about CocoaPods Vulnerabilities from 2014 Affects almost all Apple devices, Facebook, TikTok apps and more[…]

It took a while, but Microsoft has told customers that the Russian criminals who compromised its systems earlier this year made off with even more emails than it first admitted. We’ve been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, Read more about Microsoft finally tells more customers their emails have been stolen[…]

An ID verification company that works on behalf of TikTok, X and Uber, among others, has left a set of administrative credentials exposed for more than a year, as reported by 404 Media. The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and drivers’ licenses, potentially opening up both to Read more about ID verification service that works with TikTok and X left its admin credentials wide open for a year[…]

[…] CVE-2024-30078, a Wi-Fi driver remote code execution hole rated 8.8 in severity. It’s not publicly disclosed, not yet under attack, and exploitation is “less likely,” according to Redmond. “An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution,” Read more about Microsoft fixes hack-me-via-Wi-Fi Windows security hole[…]

A report from BleepingComputer notes that ASUS “has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.” But there’s more bad news: Taiwan’s CERT has also informed the public about CVE-2024-3912 in a post yesterday, which is a critical (9.8) arbitrary firmware Read more about ASUS Releases Firmware Update for Critical Remote Authentication Bypass Affecting Seven Routers[…]