Windows TCO and Security Leftovers
-
LWN ☛ Security updates for Thursday
Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django).
-
Support for Istio 1.22 has ended
As previously announced, support for Istio 1.22 has now officially ended.
At this point we will no longer back-port fixes for security issues and critical bugs to 1.22. We highly recommend that you upgrade to the latest version of Istio (1.24.2) if you haven’t already.
-
SANS ☛ XSS Attempts via E-Mail, (Thu, Jan 23rd)
One of the hardest applications to create securely is webmail. E-mail is a complex standard, and almost all e-mail sent today uses HTML. Displaying complex HTML received in an e-mail within a web application is dangerous and often leads to XSS vulnerabilities. Typical solutions include the use of iframe sandboxes and HTML sanitizers. But still, XSS vulnerabilities sneak into applications even if they try hard to get it right.
-
Tom's Hardware ☛ Chinese hackers compromise South Korean VPN — malicious code found inside NSIS installer
ESET researchers uncovered a supply chain attack on a South Korean VPN by the China-aligned APT group PlushDaemon
-
OpenSSF (Linux Foundation) ☛ OpenSSF Newsletter – January 2025 [Ed: A part-time Microsoft megaphone and lobby]
Welcome to the January 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
-
OpenSSF (Linux Foundation) ☛ Predictions for Open Source Security in 2025: AI, State Actors, and Supply Chains [Ed: Microsoft-connected front group brings up "close call with the xz Utils backdoor" (used by Microsoft employee to distract from US government rebuke against Microsoft); Linux Foundation is not interested in real security]
Open source software is everywhere—used in almost every modern application—but the security challenges it faces continue to grow more serious. Relying on the backbone of volunteers, vulnerabilities now make it a prime target for cyberattacks by both malicious hackers and state actors. The close call with the xz Utils backdoor attack highlights just how fragile open source security can be. With open source tools being crucial for both private companies and governments, greater investment from the private sector and public sectors will be required.
-
Windows TCO / Windows Bot Nets
-
Silicon Angle ☛ SentinelOne report highlights shared tactics between HellCat and Morpheus ransomware groups
A new report out today from cybersecurity company SentinelOne Inc. is drawing attention to the evolving tactics of two prominent ransomware-as-a-service operations that have gained notoriety for targeting high-value sectors, including pharmaceuticals, manufacturing and government entities.
-
The Register UK ☛ Patch this hole or risk Kubernetes Windows node hijackings
Additionally, to exploit CVE-2024-9042, the Kubernetes cluster must not only be running Windows endpoints – the flaw doesn't affect any other OSes – it must be configured to run Log Query. This is a new, beta-level mechanism for pulling up the system status of remote machines using a command-line interface or a web API via a tool like Curl.
-