logo
#

Latest news with #CommonVulnerabilitiesandExposures

Urgent Microsoft Windows Cyberattack Warning: Avoid Opening These Files
Urgent Microsoft Windows Cyberattack Warning: Avoid Opening These Files

NDTV

time10-06-2025

  • NDTV

Urgent Microsoft Windows Cyberattack Warning: Avoid Opening These Files

Microsoft Windows users have been urgently warned about a dangerous cyberattack that can exploit a longstanding, unresolved security flaw involving Windows LNK files. As per a report in Forbes, citing cybersecurity researchers at Kaspersky and Trend Micro, the vulnerability, known as ZDI-CAN-25373, is being actively exploited by cybercriminals to mount a series of attacks this year. A malicious LNK file can exploit a Windows feature by including an attacker-controlled network location, targeting users across different VLANs. It exploits a flaw in Windows File Explorer, which does not fully display certain parameters included in shortcut files. Despite the vulnerability existing for years, Windows has not assigned it a Common Vulnerabilities and Exposures (CVE) identifier that is typically used to acknowledge and track security threats. In a statement issued to the outlet, Microsoft claimed that its Defender includes content scanning functionality that examines files, including the LNK ones. 'We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet," Microsoft said in a statement. "As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognise and warn users about potentially harmful files." it added. "While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release." Despite Microsoft's assurance, the best protection against the flaw remains awareness and practising caution. Don't open LNK files from unverified sources. Ensure Microsoft Defender or the antivirus software remains updated. Pay attention to security warnings displayed by Windows. Also Read | Woman Who Died For 8 Minutes Reveals What She Saw: "I Realised That..." Google's advice to users Recently, Google has also been urging its Gmail users to move on from older sign-in methods like passwords and two-factor authentication (2FA) to better secure their accounts. The tech giant told users to upgrade accounts to passkeys as well as social sign-ins, which use authenticated platforms like "Sign in with Google". Passkeys is a login system that replaces passwords with biometric authentication via a trusted device like a smartphone. Google views passkeys as "phishing resistant", which can help users log in simply with the method they use to unlock their devices, which can include fingerprint recognition, facial scan, or the pattern lock.

AUS undergraduate uncovers security flaw in Python library, PyCel
AUS undergraduate uncovers security flaw in Python library, PyCel

Sharjah 24

time19-05-2025

  • Sharjah 24

AUS undergraduate uncovers security flaw in Python library, PyCel

The vulnerability has been officially added to CVE database The vulnerability has since been officially added to the global Common Vulnerabilities and Exposures (CVE) database maintained by the US-based MITRE Corporation, a not-for-profit organization that plays a critical role in global cybersecurity. Most CVEs are reported by professional researchers, cybersecurity firms or PhD-level academics, which makes Elmosalamy's contribution particularly notable. 'This is a significant achievement that speaks to the quality of students we nurture at AUS,' said Dr. Fadi Aloul, Dean of CEN. 'Being assigned a CVE by MITRE is akin to earning a black belt in cybersecurity—a sign of exceptional skill. For an undergraduate to reach this level is remarkable. We are very proud of Elmosalamy's positive impact in the global cybersecurity domain.' First identified the issue in November 2024 Elmosalamy first identified the issue in November 2024 during an independent review of open-source libraries. Within days, he developed a proof-of-concept and submitted a detailed report to MITRE. MITRE then validated the findings and assigned the official CVE number CVE-2024-53924. This number is a standardized identifier that can be used by developers, software engineers and other professionals around the world to track and respond to publicly disclosed cybersecurity flaws in software. Elmosalamy's CVE-2024-53924 is known as a code execution vulnerability—one of the most severe types of software security risks. It affects users of PyCel who open untrusted Excel files, potentially allowing attackers to execute malicious code on their systems. It was assigned a CVSS severity score of 9.8/10, classifying it as 'critical' by the National Institute of Standards and Technology (NIST), which is responsible for evaluating and scoring CVEs through its National Vulnerability Database. Since assigning the CVE, MITRE has contacted the software vendors to fix the vulnerability. As of April 17, it began publicising the issue to try to protect all users vulnerable to the software. 'This is my first CVE, which is very special to me' 'This is my first CVE, which is very special to me. It's incredibly rewarding to see my knowledge applied in a way that contributes to securing our cyber infrastructure,' said Elmosalamy. 'This milestone reflects the many hours I've dedicated to learning and practicing cybersecurity, and I hope it encourages other students to explore this vital field. An AUS student first inspired me during my freshman year—someone whose passion left a lasting impression despite graduating that same semester. Since then, I've dedicated myself to creating a thriving cybersecurity community at AUS and competed in the Collegiate Penetration Testing Competition (CPTC) for three consecutive years. In 2022, I reached the finals in Rochester, New York. I later founded the Society of Cybersecurity (SOC) in 2023, through which I hosted 27 events over three semesters, from industry talks to bootcamps and an outreach workshop for high schoolers. Today, Elmosalamy is studying and AUS and working at CTFAE, a startup founded by AUS alumni, where he has built new products and helped organize major events, including the Guinness World Record-holding BlackHat Middle East cybersecurity conference in Riyadh. 'I'm deeply committed to establishing AUS as a regional leader in cybersecurity education' 'I'm deeply committed to establishing AUS as a regional leader in cybersecurity education, and I hope to see the university offer more specialized courses in areas like digital forensics, threat hunting and cryptography in future,' he said. Elmosalamy has published a technical explanation of his findings on GitHub, along with a video demonstration, to raise awareness among developers and end-users alike. CEN offers talented students a range of programs that prepare them for cutting-edge careers in technology and cybersecurity, including the Bachelor of Science in Computer Engineering, Bachelor of Science in Computer Science, Master of Science in Computer Engineering (MSCOE) and the PhD in Electrical and Computer Engineering (PhD-ECE). The college's programs equip students with a strong foundation in IT, engineering and cybersecurity, and give them a competitive edge by incorporating emerging topics such as AI and machine learning—part of the college's recent CEN 2.0 curriculum enhancements.

Turns out Janet Jackson's laptop-crashing cursed bassline was the scourge of notebook makers for at least half a decade
Turns out Janet Jackson's laptop-crashing cursed bassline was the scourge of notebook makers for at least half a decade

Yahoo

time04-05-2025

  • Entertainment
  • Yahoo

Turns out Janet Jackson's laptop-crashing cursed bassline was the scourge of notebook makers for at least half a decade

When you buy through links on our articles, Future and its syndication partners may earn a commission. In a recent campaign of TTRPG City of Mist, I played a world-weary lounge singer increasingly finding the watery despair captured in the poem Lorelei was sending unwelcome ripples through her life. Perhaps needless to say, the idea of a songstress who harbours a voice with devastating power is a creative idea I find extremely compelling. So when I caught wind of a song with the power to crash laptops, I knew I had to dive deeper. It sounds like an urban legend but for years vendors of certain laptop models would quake in fear over a particular melody: Rhythm Nation by Janet Jackson. Once upon a time, playing this 1989 banger through certain laptop speakers wouldn't just crash that specific laptop, but could also temporarily compromise nearby laptops from different manufacturers within shoulder-shimmying, head-bobbing distance. Jacob wrote about it when this bizarre tech vulnerability first came to light, but now we know that this absolute belter was a cursed melody to some laptop vendors for half a decade (via PC World). The story originally surfaced second-hand in a 2022 blog post from Raymond Chen, explaining that after a great deal of testing, the cause of the crashes was isolated to the sound of the song itself. It turns out 1989's Rhythm Nation harbours the resonant frequency for components within 5,400 RPM hard drives, causing the moving parts of the hard drive to vibrate in arcs that would gradually sweep wider than intended. Ultimately, sustained exposure to the resonant frequency created enough read errors to crash some laptops' operating systems—David Plummer, another Microsoft alumnus, breaks down how this works in his own retelling of the story. As for what specific part of the song is doing the laptop crashing, Chen's follow-up post points to a brilliant musical analysis by Adam Neely; to summarise in a few words from someone who is definitely not a music theorist, Rhythm Nation's bassline is just that powerful, with a resonant peak of about 84.2 Hz. Common Vulnerabilities and Exposures (CVE) describes the issue as affecting laptops and PCs from "approximately 2005 and later." To combat it, Microsoft wrote some Digital Signal Processor code to effectively filter out the offending frequencies on Windows XP machines. To be clear, this wasn't a bit of code specifically targeting Jackson's optimistic bop about the uniting power of music, but a notch filter intended to prevent speakers from playing all instances of the laptop crashing resonant frequency. So, how long was that bit of code in effect? Well, Chen wrote one more followup blog this month that revealed the filter was still present until at least the launch of Windows 7 in 2009. At this time, Microsoft imposed a new rule requiring that users must have the option to disable Audio Processing Objects (APOs)—like the aforementioned frequency filtering code. That's about half a decade of Microsoft and laptop vendors attempting to circumvent Rhythm Nation-induced crashes. The vendor of the primarily affected laptops applied for an exception, fearing that the bounce back of the bass might not just physically damage their products but also their reputation. On these grounds, the exemption was granted—meaning that out there somewhere a vendor of HDD laptops may still be haunted by the incredible bassline of Rhythm Nation. Best SSD for gaming: The best speedy storage today. Best NVMe SSD: Compact M.2 drives. Best external hard drive: Huge capacities for less. Best external SSD: Plug-in storage upgrades.

The Wiretap: Trump's Cybersecurity Agency Avoided A Near Disaster
The Wiretap: Trump's Cybersecurity Agency Avoided A Near Disaster

Forbes

time22-04-2025

  • Business
  • Forbes

The Wiretap: Trump's Cybersecurity Agency Avoided A Near Disaster

The Wiretap is your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here. getty An essential, constantly-updated database of cybersecurity vulnerabilities almost went offline last week. Run by Mitre, the Common Vulnerabilities and Exposures (CVE) database has become vital to all manner of digital defenders, from those on enterprise IT teams to those keeping tabs on national security threats. It's proven particularly helpful in understanding the severity of a software or hardware flaw, determining whether it's actively being exploited by hackers, and assessing whether a fix is urgently needed. Mitre had warned users that funding for the CVE project, which came via the DHS Cybersecurity and Infrastructure Security Agency (CISA), was going to run out on Wednesday April 16. In a last minute reprieve, though, CISA confirmed it would continue to provide financial backing for it. Inside CISA, staff told Forbes it was a whirligig week where, within 24 hours, the agency had gone from causing a disaster to averting one. 'It would have been devastating for defenders,' said one CISA employee. 'What a mess,' said another. Beyond saying that 'the CVE Program is invaluable to the cyber community and a priority of CISA,' the agency is yet to offer any kind of explanation for the brinksmanship. CISA is currently without a permanent director, with Sean Plankey, Trump's nominee, yet to be approved by Congress. The sooner the agency has some stability, the less likely such snafus come close to causing catastrophic damage to American cybersecurity. Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964. Getty Images Palantir, the $20 billion surveillance company, is upping its work with Immigration Customs Enforcement (ICE) via contracts asking it to build a 'complete target analysis of known populations,' reports 404 Media. A subsequent leak of internal Palantir communications revealed that it's going to be helping locate people in the country illegally, while planning for a backlash externally and internally. Staff have been given guidance on the ethics of working on such large-scale work with an agency like ICE, showing how Palantir is worried about the optics of the contracts. Read the whole story here. Cops across America are starting to utilize AI agents to help spy on social media, according to a Wired and 404 Media report. Among the agents advertised to cops by providers were a fake college protester and a potential child sex trafficking victim. Pedestrian crosswalks were hacked in Seattle last week to have a fake Jeff Bezos start spouting tongue-in-cheek pro-billionaire spiel. 'Please, please don't tax the rich. Otherwise, all the other billionaires will move to Florida too,' it said, referencing the Amazon founder's residency change that saved him an estimated $1 billion. A draft bill currently in the Florida legislature would, if it passed, require social media companies to build backdoors that would allow law enforcement to decrypt messages. Secretary of Defense Pete Hegseth has all but confirmed new reports suggesting he shared sensitive information about U.S. attack plans in Yemen in a second Signal group chat. Forbes 30 Under 30 Europe list was launched last week. One lister was a Ukrainian cybersecurity startup, LetsData. Launched in 2022, it's an AI-driven company that claims it can spot and tackle disinformation campaigns. Michael McMahon, a retired NYPD sergeant turned private detective, has been sentenced to 18 months in prison for his part in harassing and stalking a Chinese expatriate named Xu Jin, who is wanted by his homeland's government. It's alleged McMahon helped his client even though he knew it appeared to be part of a Chinese government plot to get Jin to return to China.

CVE's Near Cybersecurity Miss Averted — But The World Must Step Up
CVE's Near Cybersecurity Miss Averted — But The World Must Step Up

Forbes

time17-04-2025

  • Forbes

CVE's Near Cybersecurity Miss Averted — But The World Must Step Up

The cybersecurity world, shocked by the near-shutdown of the CVE system — a quiet crisis that nearly ... More disrupted the backbone of global vulnerability coordination. In cybersecurity, some moments pass quietly. Others expose deep fault lines. The near shutdown of the Common Vulnerabilities and Exposures Program — operated by MITRE and funded by the United States Cybersecurity and Infrastructure Security Agency — was the latter. With just hours left before funding expired, CISA, already operating under intense budget pressure, extended the contract and narrowly averted disruption to the backbone of global vulnerability coordination. This wasn't a budget hiccup or a DOGE sensational headline. It was a warning flare. For more than two decades, CVE has served as the global catalog of known cybersecurity vulnerabilities. Everyone — from intelligence agencies and infrastructure operators to security vendors and open-source developers — relies on it. Yet one nation has carried the cost while the entire world benefits. That model is no longer sustainable — and it never truly was. MITRE is a federally funded research and development center — a nonprofit that operates exclusively in the public interest. It runs multiple research centers on behalf of agencies like the Department of Defense, Department of Homeland Security, Federal Aviation Administration and the Centers for Medicare and Medicaid Services. Unlike commercial firms, MITRE doesn't sell products or compete for private contracts. Its mandate is to solve problems too complex, sensitive or mission-critical for the private sector to address alone. In cybersecurity, MITRE is best known for stewarding: • CVE: Common Vulnerabilities and Exposures, the global identifier system for software flaws • ATT&CK: a framework of adversary tactics and techniques • CWE: Common Weakness Enumeration, a catalog of software design weaknesses MITRE operates quietly but critically — a trusted technical authority at the center of digital defense. And for the record — MITRE doesn't stand for anything. It's a legacy name, like RAND. Originally affiliated with the Massachusetts Institute of Technology, the organization has long since outgrown its acronymic roots. CVE is the Rosetta Stone of vulnerability management. Every known software flaw receives a unique identifier, enabling defenders, vendors and governments to coordinate response, issue guidance and deploy patches with precision. Without CVE: • Teams use inconsistent naming conventions • Alerts become fragmented • Security tools lose interoperability • Threat intelligence sharing breaks down As Jen Easterly, the prior Director of CISA, noted this week, CVE is more than a database — it is 'a pillar of operational resilience and national security.' And it came dangerously close to collapse. The Trump administration has made clear its intent to streamline federal spending and question programs that do not yield direct national benefit. Whether this latest contract drama was the result of oversight or intentional brinkmanship, the outcome is the same — a critical global system was nearly put at risk because of domestic budget negotiations. So the shock to the system happened. On April 15, MITRE issued a stunning warning: funding for the CVE system would expire within 24 hours. The cybersecurity community responded with alarm. A breakdown in this system would mean chaos — confusion among defenders, delayed patching and increased exposure to active threats. Hours before the deadline, CISA issued an eleven-month extension. But while the short-term crisis was averted, the structural risk remains. CVE is a global system — yet it lives entirely on American funding. Since 1999, MITRE has operated CVE under U.S. government sole sponsorship. That funding has enabled a global system — but the burden has fallen squarely on one agency, and one country. The European Union has its own database, but it is largely unknown. Nations across Asia, the Middle East Gulf States and beyond all consume CVE data and build tools around it — without meaningful financial contribution. Meanwhile, cybersecurity vendors spend millions annually on conference booths, marketing activations and branded swag. Redirecting even a fraction of those budgets toward shared infrastructure like CVE would likely do more to secure their customers — and strengthen their credibility — than another oversized LED wall or fancy drone display at the upcoming RSA conference. This crisis genuinly creates the opportunity for reform. A newly announced nonprofit — the CVE Foundation — has emerged as a potential future steward of the CVE system. This is the right move — but it needs broad support, generous funding and real structure. The best solution is to transition CVE to a multi-stakeholder foundation model, governed by both private industry and international governments, with MITRE as the technical anchor — not the financial underwriter. Here's what that model should include: • Private Sector Co-Funding: Security vendors, cloud providers and software giants should contribute proportionally. They all benefit from CVE — it's time they help sustain it. In fact, this may be one of the highest-return investments a company can make from its marketing budget. • Global Buy-In and Funding: Countries outside the United States must step up. The European Union maintains its own vulnerability catalog, but it lacks global adoption and visibility. CVE has become the de facto international standard — the common language for cybersecurity coordination across borders. It's time for allied nations, especially those who rely on CVE for their own national defense and critical infrastructure, to redirect a portion of their cybersecurity budgets toward sustaining this shared system. Funding a globally relied-upon platform is not charity — it's strategic investment in collective resilience. • Independent Oversight: The new CVE Foundation must be neutral, community-driven and resilient — free from sole reliance on any one government. Let MITRE continue operating CVE. Their technical stewardship is excellent. But move the financial dependency to a diversified global model before the next contract cliff. The near-collapse of CVE was a stark reminder of just how fragile our cybersecurity foundations can be. It exposed the risks of relying on a single point of failure — and the assumption that one nation will indefinitely shoulder the weight of a global system. This isn't about blame. It's about modernization. A vulnerability catalog used by every business and government on Earth cannot hinge on the budget cycles of a single capital. The system held — for now. But what comes next must be deliberate, strategic and shared. Why should American taxpayers alone fund a tool the entire world depends on? Should the security of our digital infrastructure rise and fall with domestic politics? If the world relies on CVE — the world must help fund CVE.

DOWNLOAD THE APP

Get Started Now: Download the App

Ready to dive into a world of global content with local flavor? Download Daily8 app today from your preferred app store and start exploring.
app-storeplay-store