Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Update. Show all posts
User Privacy
iPhone Security flaw Security Update Technology User Privacy

Apple's Latest iPhone Update: Bad News for Millions of Google Users

 

If the latest reports are correct, Apple consumers have just over a fortnight to wait until the launch of iOS 18.1 and the belated arrival of Apple Intelligence, the flagship feature in the latest iOS release. Until then the most significant update is still RCS, the even more belated upgrade of stock SMS on iPhones. 

As security experts commented before, Apple’s RCS upgrade has a lot of security flaws—no end-to-end encryption is the key one, with its lack being a major step back, but there’s also patchy carrier adoption, no full iMessage integration, and no end in sight for those dreaded green bubbles.

But Google campaigned hard for years, cajoling Apple into making this move as its own Android Messages app lost ever more ground to WhatsApp and other over-the-tops, while Apple seemingly brushed away any concerns, with its critical US user base continuing to iMessage between themselves. 

And, while Google has teased Apple over their flawed RCS implementation, it has also made it clear how welcome this is. But there was always the chance that Google and its consumers would not see the equal playing field they desired, and that risk appears to be coming true. 

Android Authority recently claimed that "iPhone users are not as into RCS as their Android buddies would have liked." There are some clear barriers to better adoption, particularly carrier support. But the underlying issue is much simpler: WhatsApp. This long-awaited partial integration of iMessage and Google Messages has been so delayed that WhatsApp has effectively locked down every significant market outside of the United States (and China). 

With Apple's iMessage security being one of its main selling points, security and privacy have grown so central to the iPhone and its user base that an update that abandons all of that appears counter-intuitive in every sense. The fact that even Google is unable to view user content due to its extensive usage of end-to-end encryption throughout its own platform—which is akin to Apple's—makes this situation worse. However, all of that disappears when using cross-platform RCS texting.,
Read more »
Vulnerability and Exploits.
API Bug CVE vulnerability Patch Fix Security Update SQL Injection Vulnerabilities and Exploits Vulnerability and Exploits.

A SQL Injection bug Hits the Django web Framework

 

A serious vulnerability has been addressed in the most recent versions of the open-source Django web framework. 

Updates decrease the risk of SQL Injection

Developers are advised to update or patch their Django instances as soon after the Django team issues versions Django 4.0.6 and Django 3.2.14 that fix a high-severity SQL injection vulnerability. 

Malicious actors may exploit the vulnerability, CVE-2022-34265, by passing particular inputs to the Trunc and Extract methods.

The issue, which can be leveraged if untrusted data was used as a kind/lookup name value, is said to be present in the Trunc() and Extract() database functions, according to the researchers. It is feasible to lessen the danger of being exploited by implementing input sanitization for these functions.

Bugfixes 

Django's main branch and the 4.1, 4.0, and 3.2 release branches have all received patches to fix the problem. 

"This security update eliminates the problem, but we've found enhancements to the Database API methods for date extract and truncate that should be added to Django 4.1 before its official release. Django 4.1 releases candidate 1 or newer third-party database backends will be affected by this until they can be updated to the new API. We apologize for the trouble," Django team stated.
Read more »
Vulnerabilities and Exploits
Flaws Security Patch Security Update SSRF Flaw VMware Vulnerabilities and Exploits

VMware Patched SSRF& Arbitrary File Read Flaws in vCenter Server

 

VMware has published security upgrades for the vCenter Server after addressing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).

A VMWare security alert was released on November 23 and the US Cybersecurity and Infrastructure Security Agency (CISA) also encouraged enterprises to use vulnerable instances of the server management platform to deploy required upgrades. 

In terms of severity, both flaws were labelled as 'important.' The most serious, with a CVSS rating of 7.5, is the arbitrary file read flaw (CVE-2021-21980), which if exploited might allow a nefarious attacker to get access to sensitive data. The SSRF vulnerability (CVE-2021-22049) was discovered in the vSAN Web Client (vSAN UI) plugin, with a CVSS of 6.5. An attacker might take advantage of this vulnerability by gaining access to an internal service or making a URL request from outside of the vCenter Server. 

VMware has released security updates for vCenter Server versions 6.5 and 6.7 that address both vulnerabilities. The issues do not impact the 7.x release line, which cannot utilise vSphere Web Client (FLEX/Flash).Cloud Foundation's 3.x release line is still waiting for patches for both problems, whereas 4.x is untouched. 

VMware acknowledged Orz lab's 'ch0wn' for disclosing the arbitrary file read issue and the QI-ANXIN Group's'magiczero for reporting the SSRF. As per Statista, three of the top five server virtualization systems with the largest market share are VMware platforms, with vSphere leading the pack and vCenter Server ranking fifth. 

VMware's dominance in the server virtualization market, along with many organisations' latency to implement upgrades, has made its systems great targets for skilled attackers. The Daily Swig revealed in September that another significant arbitrary file upload flaw in the vCenter Server was being exploited. 

In June, it was revealed that thousands of vCenter Server instances remained unpatched for three weeks after a pair of serious issues in the vSphere Client (HTML5) were discovered.
Read more »
Subscribe to: Posts (Atom)