Lateo.net - Flux RSS en pagaille (pour en ajouter : @ moi)

🔒
❌ À propos de FreshRSS
Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierArs Technica

Agencies using vulnerable Ivanti products have until Saturday to disconnect them

Par : Dan Goodin
Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"

Enlarge (credit: Getty Images)

Federal civilian agencies have until midnight Saturday morning to sever all network connections to Ivanti VPN software, which is currently under mass exploitation by multiple threat groups. The US Cybersecurity and Infrastructure Security Agency mandated the move on Wednesday after disclosing three critical vulnerabilities in recent weeks.

Three weeks ago, Ivanti disclosed two critical vulnerabilities that it said threat actors were already actively exploiting. The attacks, the company said, targeted “a limited number of customers” using the company’s Connect Secure and Policy Secure VPN products. Security firm Volexity said on the same day that the vulnerabilities had been under exploitation since early December. Ivanti didn’t have a patch available and instead advised customers to follow several steps to protect themselves against attacks. Among the steps was running an integrity checker the company released to detect any compromises.

Almost two weeks later, researchers said the zero-days were under mass exploitation in attacks that were backdooring customer networks around the globe. A day later, Ivanti failed to make good on an earlier pledge to begin rolling out a proper patch by January 24. The company didn’t start the process until Wednesday, two weeks after the deadline it set for itself.

Read 8 remaining paragraphs | Comments

Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks

Par : Dan Goodin
The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Enlarge (credit: Getty Images)

Unknown threat actors are actively targeting two critical zero-day vulnerabilities that allow them to bypass two-factor authentication and execute malicious code inside networks that use a widely used virtual private network appliance sold by Ivanti, researchers said Wednesday.

Ivanti reported bare-bones details concerning the zero-days in posts published on Wednesday that urged customers to follow mitigation guidance immediately. Tracked as CVE-2023-46805 and CVE-2024-21887, they reside in Ivanti Connect Secure, a VPN appliance often abbreviated as ICS. Formerly known as Pulse Secure, the widely used VPN has harbored previous zero-days in recent years that came under widespread exploitation, in some cases to devastating effect.

Exploiters: Start your engines

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” researchers from security firm Volexity wrote in a post summarizing their investigative findings of an attack that hit a customer last month. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.” Researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster went on to write:

Read 10 remaining paragraphs | Comments

Google researchers report critical 0-days in Chrome and all Apple OSes

Par : Dan Goodin
The phrase Zero Day can be spotted on a monochrome computer screen clogged with ones and zeros.

Enlarge (credit: Getty Images)

Researchers in Google's Threat Analysis Group have been as busy as ever with discoveries that have led to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser in the span of 48 hours.

Apple on Thursday said it was releasing security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. Both of them reside in WebKit, the engine that drives Safari and a wide range of other apps, including Apple Mail, the App Store, and all browsers running on iPhones and iPads. While the update applies to all supported versions of Apple OSes, Thursday’s disclosure suggested that the in-the-wild attacks that are exploiting the vulnerabilities targeted earlier versions of iOS.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple officials wrote of both vulnerabilities, which are tracked as CVE-2023-42916 and CVE-2023-42917.

Read 4 remaining paragraphs | Comments

Soda additive linked to thyroid toxicity may finally get banned by FDA

Par : Beth Mole
Sundrop is among the citrus soft drinks that still contains BVO.

Enlarge / Sundrop is among the citrus soft drinks that still contains BVO. (credit: Sun Drop)

The Food and Drug Administration may finally ban a food additive used in citrusy drinks that the agency determined over 50 years ago could not be considered generally safe. The agency proposed a ban on the additive Thursday.

The additive is brominated vegetable oil (BVO), which is a flavoring emulsifier and stabilizer that has been used to keep citrus flavoring from separating and floating to the top of soft drinks since the 1920s. It was previously used in big brand-name beverages such as Mountain Dew and Gatorade but has been removed amid toxicity concerns in recent years. Since at least 2014, PepsiCo and Coca-Cola have been phasing out BVO from their drinks, though it can still be found in some store-brand sodas and regional drinks, including the citrus soda Sun Drop.

BVO is already banned in Europe, Japan, Australia, and New Zealand. In October of this year, California banned BVO, along with other problematic food additives, including red dye No. 3. (While reporting California's ban on red dye No. 3, Ars also reported that the FDA planned to ban BVO.)

Read 8 remaining paragraphs | Comments

❌