Security Leftovers

posted by Roy Schestowitz on Dec 24, 2022

• Is this CVSS 10 Linux Kernel vulnerability going to ruin your Christmas? [Ed: It's more about SMB than Linux, and requires some access level]

  Every security researcher just knew some god-awful vulnerability was going to get lobbed into the mix just as people wind down for the holiday and it looked for a moment like it might have landed: A critical (CVSS 10) vulnerability in the Linux kernel that lets remote and unauthenticated hackers execute arbitrary code? Yikes.

• Patch now: Serious Linux kernel security hole uncovered [Ed: Most machines aren't impacted because of how they are set up]

• LastPass has been breached: What now? | Almost Secure

  If you have a LastPass account you should have received an email updating you on the state of affairs concerning a recent LastPass breach. While this email and the corresponding blog post try to appear transparent, they don’t give you a full picture. In particular, they are rather misleading concerning a very important question: should you change all your passwords now?

• Zerobot malware now shooting for Apache systems • The Register

  The Zerobot botnet, first detected earlier this month, is expanding the types of Internet of Things (IoT) devices it can compromise by going after Apache systems.

  The botnet, written in the Go programming language, is being sold as the malware-as-a-service (MaaS) model and spreads through vulnerabilities in IoT devices and web applications, according to the Microsoft Security Threat Intelligence (MSTIC) team in a report released on Wednesday.

• Security updates for Friday [LWN.net]

  Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).