June 2022

The maintainers of the RubyGems package manager have addressed a critical security flaw that could have been abused to remove gems and replace them with rogue versions under specific circumstances.   "Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so," RubyGems said in a security...

Read More

Heads up for network administrators with F5’s BIG-IP family of networking devices in their environment: There is a new security update available for the newly disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created working exploits, so administrators need to move quickly and secure their networks before the attackers come knocking.   According to security researcher Kevin Beaumont, attackers are already trying to...

Read More

The transition into CWPP   Agility and flexibility were key directives in the development of new technology, which is why on-premise assets soon transitioned into virtual machines, which further transformed into compact and swift containers. Modern enterprise network environments are increasingly transforming to be cloud-based, where both applications and data storage are hosted in a cloud — and often multi-cloud — environment. The attack surfaces and...

Read More

Cisco Systems on Wednesday shipped security patches to contain three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that could permit an attacker to fully compromise and take control over the hosts.   Tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, the vulnerabilities "could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak...

Read More

Security experts have been banging the multifactor authentication drum for years, encouraging users to move away from just relying on the username/password combination to secure their most sensitive accounts. Now GitHub is done with encouraging: By the end of 2023, all users who contribute code to GitHub-hosted repositories must have one or more forms of two-factor authentication enabled, the company says.   Zero-day attacks and sophisticated exploits...

Read More

Big picture, security professionals worry about how to defend their organizations against increasingly sophisticated attacks exploiting zero-day vulnerabilities or nation-state attackers, but their day-to-day security concerns appear to be far more prosaic. According to Dark Reading's "The State of Malware Threats" report, ransomware and phishing attacks are top-of-mind for security professionals.   When asked which type of attacks worried them most, 61% of IT security professionals cited...

Read More