Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability was found in Foxit PDF Reader, a widely used alternative to Adobe Acrobat.  Given the memory corruption vulnerability, attackers could execute arbitrary code on the machine that is the target of their attack.  Additionally, three vulnerabilities were discovered in Veertu’s Anka…

"CVSS is a shitty system"

Esettanulmányok arról, hogy készül a virsli CVSS (Common Vulnerability Scoring System), a cURL vezető fejlesztőjének előadásában.

@muszeresz

Zero-Day Vulnerability in Output Messenger Exploited by Türkiye Hackers

Cybersecurity researchers have uncovered a concerning development where Türkiye-affiliated hackers successfully exploited a Zero-Day Vulnerability in Output Messenger. The attack, which began in April 2024, specifically targeted Kurdish military operations in Iraq. This Zero-Day Vulnerability in Output Messenger highlights the ongoing cybersecurity challenges faced by organisations using…

10/10/24

Who Reads Mega-advisories? No one! (Almost)

Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer: I am going to use one…

VMware vCenter Güvenlik Açığı

Merhaba, bu yazımda sizlere yakın zamanda yayınlanan VMware vCenter güvenlik açığı konusundan bahsedeceğim. VMware, yakın zamanda vCenter Server ürünlerinde önemli güvenlik açıklarını gidermiştir. Bu güvenlik açıkları, vCenter Server 7.0, 8.0 ve VMware Cloud Foundation 4.x ve 5.x sürümlerini etkilemektedir. CVE-2024-37079, CVE-2024-37080 ve CVE-2024-37081 olarak tanımlanan bu açıklar, yüksek…

View On WordPress

Don't let CVEs distract you: Shift your AppSec team's focus to malware

Rather than wasting cycles on non-exploitable or remediated security holes, teams should focus on exploitability, and look for compromises including malware and tampering. Here's why. https://jpmellojr.blogspot.com/2023/11/dont-let-cves-distract-you-shift-your.html

Hey, if you use Firefox, update it. asap.

https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html?m=1

A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program — which is traditionally funded each year by the Department of Homeland Security — expires on April 16. Tens of thousands of security flaws in software are found and reported every year, and these vulnerabilities are eventually assigned their own unique CVE tracking number (e.g. CVE-2024-43573, which is a Microsoft Windows bug that Redmond patched last year). There are hundreds of organizations — known as CVE Numbering Authorities (CNAs) — that are authorized by MITRE to bestow these CVE numbers on newly reported flaws. Many of these CNAs are country and government-specific, or tied to individual software vendors or vulnerability disclosure platforms (a.k.a. bug bounty programs). Put simply, MITRE is a critical, widely-used resource for centralizing and standardizing information on software vulnerabilities. That means the pipeline of information it supplies is plugged into an array of cybersecurity tools and services that help organizations identify and patch security holes — ideally before malware or malcontents can wriggle through them.

ezt figyeld, @muszeresz

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow attackers to gain root access. The vulnerabilities, identified as CVE-2024-38818, CVE-2024-38817, and CVE-2024-38815, affect both VMware NSX and VMware Cloud Foundation. According to the Broadcom report, the advisory, VMSA-2024-0020, was initially published on October 9, 2024, and highlights the…

In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research.

The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. “The CVE Program is invaluable to the cyber community and a priority of CISA,” they said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation.

“Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised long-standing concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the Foundation wrote in a statement. “This concern has become urgent following an April 15, 2025, letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.”

It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment.

CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration.

Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source.

“The CVE Program is critical, and it’s in everyone’s interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. “Nearly every organization and every security tool is dependent on this information, and it’s not just the US. It’s consumed globally. So it's really, really important that it continues to be a community-provided service, and we need to figure out what to do about this, because losing it would be a risk to everyone.”

Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone.

Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: “It's all so stupid and dangerous.”

04/15/25

"Financial support for the system that tracks publicly disclosed cybersecurity vulnerabilities expires on April 16th."

The Curious Case of CVE-2015-2551 & CVE-2019-9081 - Doom and Gloom! Or not.

What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: CVE Rejected by MITRE 5/11/2017 10:21:04 AM CVE Source Update by Microsoft Corporation 11/06/2023 9:25:22 PM They updated it to reflect they were the source, or assigning CNA. CVE Modified by…

This will cause billions of dollars of damage to the American economy.

Stay safe! Make sure to use Discord on safe browsers like Chrome or any Chromium-based browser until Discord sends out a patch!

You don't want Ford to send you a .webp file on the Discord app and, just by viewing it, be infected with whatever malware he hid inside that funny picture! As cute as that face is, you can't trust them!

In all seriousness though, do stay safe. Considering it's a zero day exploit, Discord is going to roll out a patch asap. But until then, we will have to stick with browser Discord.

Here are some helpful articles, so you can stay informed!

CVE-2023-5129 is currently still a very real threat for apps such as Slack, Discord, Skype, Visual Studio Code, Twitch, Microsoft Teams, and the Github app.

Many browsers, such as Google Chrome, Firefox, Brave, and Opera have rolled out patches so as long as you update your browser you'll be all good!