Security flaws in your computer’s firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular Read more about ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections[…]

More than 384,000 websites are linking to a site that was caught last week performing a supply-chain attack that redirected visitors to malicious sites, researchers said. For years, the JavaScript code, hosted at polyfill[.]com, was a legitimate open source project that allowed older browsers to handle advanced functions that weren’t natively supported. By linking to Read more about 384,000 sites still pulling code from sketchy polyfill.io code library recently bought by Chinese firm[…]

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting “almost every Apple device.” E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications Read more about CocoaPods Vulnerabilities from 2014 Affects almost all Apple devices, Facebook, TikTok apps and more[…]

It took a while, but Microsoft has told customers that the Russian criminals who compromised its systems earlier this year made off with even more emails than it first admitted. We’ve been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, Read more about Microsoft finally tells more customers their emails have been stolen[…]

An ID verification company that works on behalf of TikTok, X and Uber, among others, has left a set of administrative credentials exposed for more than a year, as reported by 404 Media. The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and drivers’ licenses, potentially opening up both to Read more about ID verification service that works with TikTok and X left its admin credentials wide open for a year[…]

[…] CVE-2024-30078, a Wi-Fi driver remote code execution hole rated 8.8 in severity. It’s not publicly disclosed, not yet under attack, and exploitation is “less likely,” according to Redmond. “An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution,” Read more about Microsoft fixes hack-me-via-Wi-Fi Windows security hole[…]

A report from BleepingComputer notes that ASUS “has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.” But there’s more bad news: Taiwan’s CERT has also informed the public about CVE-2024-3912 in a post yesterday, which is a critical (9.8) arbitrary firmware Read more about ASUS Releases Firmware Update for Critical Remote Authentication Bypass Affecting Seven Routers[…]

In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped. Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect Read more about Arm Memory Tag Extensions broken by speculative execution[…]

Sav-Rx has started notifying about 2.8 million people that their personal information was likely stolen during an IT intrusion that happened more than seven months ago. The biz provides prescription drug management services to more than 10 million US workers and their families, via their employers or unions. It first spotted the network “interruption” on Read more about 2.8M US folks’ personal info swiped in Sav-Rx IT heist – 8 months ago[…]

The federal government agency responsible for granting patents and trademarks is alerting thousands of filers whose private addresses were exposed following a second data spill in as many years. The U.S. Patent and Trademark Office (USPTO) said in an email to affected trademark applicants this week that their private domicile address — which can include Read more about US Patent and Trademark Office confirms another leak of filers’ address data[…]

Microsoft says the April security updates for Windows may break your VPN. (Oops!) “Windows devices might face VPN connection failures after installing the April 2024 security update (KB5036893) or the April 2024 non-security preview update,” the company wrote in a status update. It’s working on a fix. Bleeping Computer first reported the issue, which affects Read more about Microsoft’s latest Windows security updates might break your VPN[…]

[…] On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with Read more about UK becomes first country to ban default bad passwords on IoT devices[…]