InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Cloudflare Advocates for Broader Adoption of security.txt Standard for Vulnerability Reporting
To address the issue of unreported security vulnerabilities, Cloudflare recently launched a dashboard to help create and manage a security.txt file for website vulnerability disclosures. The generated file adheres to the RFC9116 standard, offering security research teams a standardized method for reporting vulnerabilities.
-
Security Experts Exploit Airport Security Loophole with SQL Injection
In the article "Bypassing airport security via SQL injection," two security researchers recently demonstrated how they executed a simple SQL injection attack on a service that enables pilots and flight attendants to bypass airport security screening.
-
GhostWrite Vulnerability in C910 and C920 RISC-V CPUs
CISPA security researchers have discovered a vulnerability they’ve called ‘GhostWrite’ that’s caused by a hardware bug in T-Head’s XuanTie C910 and C920 RISC-V CPUs. Vector extensions that are supposed to provide translation of virtual memory addresses to physical addresses don’t work, meaning that an attacker can gain access to the contents of memory and any attached devices.
-
SSH Backdoor from Compromised XZ Utils Library
When Microsoft engineer Andres Freund noticed SSH was taking longer than usual, he discovered a backdoor in xz utils, one of the underlying libraries for systemd, that had taken years to be put in place. The backdoor had found its way into testing releases of Linux distributions like Debian Sid, Fedora 41 and Fedora Rawhide but was caught before propagating into more highly used stable releases.
-
Will C++ Become a Safe Language Like Rust and Others?
In a recent article, C++ expert and ISO C++ Committee Chair Herb Sutter expressed his views about what it takes to make C++ a safe language in the guise of Rust and other memory-safe languages (MSLs). His recipes include relying on tooling, as is the case with other MSLs, promoting safe language features, pushing unsafe features behind compiler flags, and more.
-
GUAC Joins OpenSSF as Incubating Project
The Graph for Understanding Artifact Composition (GUAC) has joined the Open Source Security Foundation (OpenSSF) as an incubating project. GUAC provides a tool and underlying API to analyse and visualise software bill of materials (SBOM) along with threat intelligence feeds to determine whether vulnerabilities impact an application.
-
LeftoverLocals May Leak LLM Responses on Apple, Qualcomm, and AMD GPUs
Security firm Trail of Bits disclosed a vulnerability allowing malicious actors to recover data from GPU local memory on Apple, Qualcomm, AMD, and Imagination GPUs. Dubbed LeftoverLocals, the vulnerability affects any application using the GPU, including Large Language Models (LLMs) and machine learning (ML) models.
-
Zoom Open-sources New Vulnerability Impact Scoring System VISS
Zoom Vulnerability Impact Scoring System, or VISS for short, aims to help organizations enforce security measures based on a new approach to vulnerability scoring that prioritizes actual demonstrated impact over theoretical security impact possibilities.
-
Cloudflare, Google and AWS Disclose HTTP/2 Zero-Day Vulnerability
On October 10th, Cloudflare, Google, and AWS disclosed a novel zero-day vulnerability attack known as the "HTTP/2 Rapid Reset." This attack exploits a weakness in the HTTP/2 protocol to generate enormous Distributed Denial of Service (DDoS) attacks, up to almost 400 million requests per second (rps).
-
TorchServe Potentially Exposed to Remote Code Execution
Israeli-based security company Oligo has uncovered multiple vulnerabilities in TorchServe, the tool used to serve PyTorch models, that could allow an attacker to run arbitrary code on vulnerable systems. The vulnerabilities have been promptly fixed in TorchServe version 0.82.
-
Microsoft AI Researchers Accidentally Exposed 38TB of Sensitive Data
Security researchers at cloud-security company Wiz discovered a data leak affecting Microsoft's AI GitHub repository, including a huge amount of private data and a disk backup of two employees' workstations with sensitive data.
-
GitHub Dependabot Gets Customizable Auto-Triage Rules to Reduce False Positives
After launching Dependabot's auto-dismiss policies a few months ago to reduce the number of false positive alerts, GitHub is now adding custom rules support for developers to define the criteria to auto-dismiss and reopen alerts.
-
OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security
The Open Source Consumption Manifesto from OpenSSF aims to make the software industry more aware of its responsibility when it comes to ensuring the software supply chain remains secure and healthy.
-
New Downfall Attack Could Lead to Sensitive Data Leakage on Intel Processors
Security researcher Daniel Moghimi discovered a new side-channel vulnerability affecting Intel processors that could be exploited to steal data from other users or apps running on the same computer. Dubbed Downfall, the vulnerability has been patched by Intel and mitigated by most major OS vendors.
-
Chrome Supports Key Pinning on Android to Improve Security
Key pinning, a technique used to prevent an attacker from tricking a vulnerable certificate authority (CA) into issuing an apparently valid certificate for a server, is now used in Chrome for Android, version 106, to help prevent man-in-the-middle attacks against Google services.