Security Leftovers

posted by Roy Schestowitz on Apr 06, 2024

• Security updates for Thursday

  Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).

• Mozilla ☛ Mozilla Security Blog: Rapidly Leveling up Firefox Security

  At Mozilla, we believe in an open web that is safe to use. To that end, we improve and maintain the security of people using Firefox around the world. This includes a solid track record of responding to security bugs in the wild, especially with bug bounty programs such as Pwn2Own. As soon as we discover a critical security issue in Firefox, we plan and ship a rapid fix. This post describes how we recently fixed an exploit discovered at Pwn2Own in less than 21 hours, a success only made possible through the collaborative and well-coordinated efforts of a global cross-functional team of release and QA engineers, security experts, and other stakeholders.

• Security Week ☛ Pixel Phone Zero-Days Exploited by Forensic Firms

  Google this week patched two Pixel phone zero-day vulnerabilities actively exploited by forensic companies to obtain data from devices.

• Security Week ☛ US Cancer Center Data Breach Impacting 800,000

  City of Hope is notifying 800,000 individuals of a data breach impacting their personal and health information.

• Security Week ☛ Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

  A critical OS command injection in Progress Flowmon can be exploited to gain remote, unauthenticated access to the system.

• Security Week ☛ Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

  Ivanti releases a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott vowing to fix the entire security organization.

• Cloudbooklet ☛ PandaBuy Data Breach: 1.3 Million Users Affected!

  Discover the critical details of the PandaBuy data breach that impacted 1.3 million users. Learn about the urgent measures taken and the implications for online security.

• OpenSSF (Linux Foundation) ☛ Static Binary Analysis: A Final Exam for Software Supply Chain Protection

  The compromise of VoIP provider 3CX is just one of the latest incidents to highlight gaps in software supply chain security - and the need for a new approach to supply chain risk management, writes Charlie Jones of ReversingLabs.

• Security Week ☛ New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset

  New HTTP/2 DoS method named Continuation Flood can pose a greater risk than Rapid Reset, which has been used for record-breaking attacks.

• Security Week ☛ SurveyLama Data Breach Impacts 4.4 Million Users

  Data breach impacting users’ personal information prompts survey rewards platform SurveyLama to reset passwords.