Latest news with #vulnerabilities
Yahoo
12 hours ago
- Yahoo
Security Flaw in Bluetooth Headphones: Sony, Bose, JBL and Other Brands Affected
German security researchers have discovered significant vulnerabilities in Bluetooth headphones that allow eavesdropping on conversations or initiating calls without prior pairing. Devices from numerous well-known manufacturers are affected, yet many users are likely unaware of these risks. This involves a security vulnerability in chips from a well-known manufacturer, which are used in many Bluetooth headphones from popular brands such as Sony, Bose, JBL, Jabra, and Marshall. The discovered weaknesses allow attackers to take control of headphones remotely without needing a prior connection. Sensitive actions like eavesdropping on conversations or initiating calls are also possible under certain conditions. Researchers from the Heidelberg-based IT security company Enno Rey Netzwerke GmbH (ERNW) have identified several security vulnerabilities in Bluetooth chips from the Taiwanese manufacturer Airoha. The researchers presented their findings at the Troopers security conference in Heidelberg. The vulnerabilities affect several SoCs (systems-on-a-chip) from Airoha, which are used in true wireless headphones, among other devices. Through specially programmed protocols, attackers can access the working and flash memory of the devices. It is sufficient to be within Bluetooth range–about ten meters away. Although Airoha has already provided a software update, users are still waiting in vain for firmware updates from the manufacturers. The attack requires neither prior pairing nor authentication. It allows, among other things, the reading of current media titles, the capture of contact data, or the manipulation of existing trust relationships with paired smartphones. In practice, the researchers demonstrated how a call on the smartphone can be triggered using the read connection data–a potential gateway for eavesdropping attacks via the built-in microphone. Read also: Critical Chip Security Flaws Endanger Numerous Smartphones According to ERNW, the security vulnerabilities have been confirmed in 29 Bluetooth headphones, but far more models are likely affected. The list includes models such as Sony WH-1000XM4 to WH-1000XM6, JBL Live Buds 3, Bose QuietComfort Earbuds, Jabra Elite 8 Active, and various Marshall devices like Major V and Stanmore III. Brands like Teufel, Jlab, Xiaomi, and others are also affected. The researchers estimate that more than 100 different models could be vulnerable–and many manufacturers are not even aware that Airoha chips are used in their products. Airoha provided manufacturers with an updated version of its software on June 4. However, this must be passed on to end users by the device manufacturers in the form of a firmware update. So far, no newer firmware versions have appeared on affected devices that were created after the patch date. Users should therefore regularly check the manufacturers' apps for updates or contact customer support. The experts emphasize that real attacks are complex and technically demanding. They require immediate physical proximity to the target device and specialized knowledge. An attack is also not possible over the internet. Therefore, the warning is primarily directed at particularly vulnerable individuals such as journalists, diplomats, activists, or employees in security-relevant industries. For private everyday use, the risk is currently low. The post Security Flaw in Bluetooth Headphones: Sony, Bose, JBL and Other Brands Affected appeared first on TECHBOOK.
Forbes
21 hours ago
- Business
- Forbes
2025's Biggest Challenges In Open-Source Software Supply Chains
Stephanie Domas is the Chief Information Security Officer (CISO) at Canonical, the creators of the popular Linux operating system, Ubuntu. What are the most pressing issues for organizations using open-source software (OSS) in 2025? Is it cyberattacks? Cost efficiency? Or is it the disruptions of AI and new tech? In this article, I'll give my take as a CISO and advise how I'd go about addressing them. Why Businesses Struggle With Their Open-Source Supply Chain OSS can be amazing, but software is only as good as its supply chain security. Getting this right can be a complex puzzle, and it's one that most organizations are struggling to solve: our research with IDC revealed that 9 out of 10 organizations would prefer to source packages at the operating system level, yet only 44% of them do so. Instead, organizations are pulling software from all over the place, and only when they have to, avoiding automatic upgrades to the newest versions. Instead, they prefer to wait until new features are needed or the free updates stop—essentially until things stop working. This approach exposes organizations to newly discovered vulnerabilities. It also ends up creating more expensive and time-consuming work because the organization has to do intensive, inefficient things like monitoring upstream open source and scanning for vulnerabilities. Challenges In Managing Vulnerabilities Patching is hard, but it's much harder when you have demanding SLAs needed to meet market regulations. Managing vulnerabilities across a range of OSS can be time-consuming and requires skilled labor and manual efforts. As every CISO knows, "manual" usually means mistakes in the long run. And if something goes wrong, it could spell disaster for the company: according to Statistica, as of January 2025, just 17 data breaches resulted in over $7 billion in fines. Our research at Canonical shows that 43% of organizations are concerned about their ability to secure their AI stack. Worse, 60% of organizations have zero or only basic security controls to safeguard their AI/ML systems. This sort of exposure is unacceptable: not securing your AI systems runs the risk of package hallucination attacks, prompt injection or even exposure of your valuable IP. The market is being disrupted by new cybersecurity regulations, and many organizations struggle to figure out what these mean for their operations and systems. Look at the EU Cyber Resilience Act (CRA), for example. This new regulatory compliance means that millions of devices will have stricter cybersecurity requirements. The people who make these devices will need to provide detailed documentation, consistent security patches across their device lifecycles, and long-term reporting and monitoring for vulnerabilities in their devices. The CRA is just one of dozens of cybersecurity regulations that are clamping down on unsecured devices. Navigating this complex landscape is hard. My Recommendations For Meeting These New Challenges New innovations in open source are being made every day. In our own teams, we have people building enterprise-level-competitive software for 5G and mobile private networks—something that would have been unthinkable 10 years ago. Still, addressing today's OSS-related risks requires a combination of strategic tooling, process maturity and smart sourcing decisions. First, streamline how you acquire and manage software packages. Whether you're fully OSS-based or in a hybrid environment, the goal should be reducing fragmented sourcing. One strategy I've found to be effective based on my firsthand experience is to pull packages from a trusted operating system-level repository or work with vendors who assume upstream responsibility for security and compliance. This approach eases the burden of patching, compliance and vulnerability monitoring, especially in light of new regulations like the CRA. At Canonical, we've committed to meeting CRA manufacturer requirements directly, aiming to help organizations downstream shift compliance responsibility without sacrificing flexibility. The importance of this in the open-source community cannot be understated, as some of the most important software in the world relies on tiny communities that do not have the time or resources to meet onerous cybersecurity regulations. My work involves directly overseeing security assessments required before enabling some AI tools within our teams' workflows. As a result, I've found it's especially important to be intentional about your AI security posture. Before integrating AI tooling into production workflows, conduct formal assessments to understand what systems it will touch, what data it will process and how its behavior aligns with existing security controls. Don't rush—map out targeted use cases and pilot with guardrails. Experimental adoption is fine, as long as it's paired with rigorous due diligence and clearly defined outcomes. Finally, keep in mind that innovation doesn't have to come at the cost of security or compliance. Whether you're building edge networks, standing up clouds or managing ML pipelines, OSS can certainly accelerate development and cut costs—but only if paired with disciplined implementation. We've seen organizations slash cloud bills by up to 76% using tools like OpenStack and MicroCloud on existing infrastructure. But the real win comes when that cost-efficiency is matched by secure, well-governed practices that stand up to scrutiny. Conclusion To stay competitive in 2025 and beyond, organizations must treat open-source security and compliance as strategic capabilities—not afterthoughts. That means adopting clear processes for sourcing, patching and assessing software, especially as AI adoption grows and regulations tighten. Whether you're trying to reduce costs, improve scalability or navigate frameworks like the CRA, secure open-source practices can unlock real operational advantages. But those benefits only materialize when paired with intentional governance, smart tooling and a strong understanding of your risk surface. By following these recommendations, you can better ensure you'll be ready for these challenges and more. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Bloomberg
4 days ago
- Business
- Bloomberg
One of the Best Hackers in the Country is an AI Bot
By A hacker named Xbow has topped a prestigious security industry US leaderboard that tracks who has found and reported the most vulnerabilities in software from large companies. Xbow isn't a person — it's an artificial intelligence tool developed by a company of the same name. This is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne co-founder Michiel Prins. Now, the year-old startup has raised $75 million in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its valuation.
Yahoo
20-06-2025
- Business
- Yahoo
OPINION: Why 'least privilege' is Canada's best defence
Microsoft just hit a record high of 1,360 reported vulnerabilities in its software last year. While that number might sound scary, it's part of a trend we've seen for years. The real problem lies in what's behind the numbers and what they mean for Canadian businesses trying to stay secure in a fast-moving world. As BeyondTrust's latest Microsoft Vulnerabilities Report reveals, one type of security risk is especially alarming: elevation of privilege (EoP). This category made up 40 per cent of Microsoft's total reported vulnerabilities in 2024. That's not just a statistic; it's a wake-up call. What's elevation of privilege and why should Canadians care? Imagine someone finds a way to break into your office using a stolen key card. That's what an elevation of privilege attack is like in the digital world. Once inside, hackers can quietly move through your systems, taking control of sensitive data or expanding their access without being noticed. These attacks often begin with compromised credentials, sometimes even from non-human identities like service accounts. The problem snowballs from there. We've seen it over and over in major data breaches: attackers find one weak point, then jump from system to system. And Microsoft isn't the only target. If 40 per cent of their vulnerabilities are EoP-related, imagine how many other software platforms that Canadian companies rely on could also be vulnerable. The rise of security feature bypass attacks Another disturbing trend is the spike in security feature bypass vulnerabilities, up 60 per cent since 2020. These are loopholes hackers use to get around built-in protections in tools like Microsoft Office and Windows. Think of these bypasses as digital 'unlocked doors.' If an attacker finds one, it doesn't matter how strong your locks are, they're walking right in. Tools like EDR (endpoint detection and response) are meant to stop threats, but attackers are finding ways around them too. We've seen the rise of tools like EDR Killer that are designed specifically to sneak past these defences. Why Canadian companies can't rely on just one layer of security Some businesses still make the mistake of thinking one product or platform will keep them safe. But cybersecurity isn't about one silver bullet. It's about layered defences, also known as 'defence in depth.' For example, if a patch causes problems or breaks other tools, companies might delay applying it. But that delay gives attackers a window of opportunity. The better approach? Have multiple layers of protection in place, especially for front-line systems and high-risk assets. Microsoft Edge: The new problem child? One surprise in this year's report was the jump in Microsoft Edge vulnerabilities. Critical issues rose from 1 to 9 and total vulnerabilities increased from 249 to 292. Has Microsoft shifted its focus too much toward Azure and Dynamics 365? It's a question worth asking, especially when everyday tools like browsers are often the first entry point for cyberattacks. AI brings new benefits and new risks Artificial Intelligence (AI) is transforming how businesses operate, but it's also opening the door to new threats. Microsoft Copilot Studio and Azure Health Bot, for instance, were flagged for AI-related vulnerabilities in this year's report. AI is already being used by threat actors to automate attacks, identify weaknesses faster and even write malicious code. We haven't yet seen a large-scale attack where an AI or large language model (LLM) becomes the main infection point, but that day is coming. The biggest question on the horizon: can we trust the output from AI tools? What if the answers, code or insights we get from AI are secretly manipulated by a hacker? Canadian companies need to think about how to secure not just their AI tools, but also the data and systems that feed them. AI security can't be an afterthought; it must be built into every layer of your defence strategy. The power of 'least privilege' in a 'zero-trust' world One of the most effective ways to reduce risk is by applying the principle of 'least privilege.' It's not a new idea, but it's more important than ever. 'Least privilege' means giving every user—human or machine—only the access they absolutely need to do their job. Nothing more. If someone doesn't need admin rights, don't give it to them. If a service account only needs access to one system, don't let it roam freely. This approach limits the damage if (or when) something goes wrong. It's also a key part of a 'zero-trust strategy,' which assumes no one and nothing should be trusted automatically, even if they're already 'inside' your network. In fact, many organizations confuse 'zero trust' with 'least privilege.' The difference is that 'zero trust' is the overall strategy, and 'least privilege' is a tactical way to enforce it. A practical step Canadian companies can take right now? Audit your users and systems. Who has access to what and why? You might be shocked by how many people or services have more access than they actually need. Identities are the new perimeter Cybersecurity used to be about building firewalls around a company's data centre. But in today's world of cloud apps, hybrid work and global supply chains, identity is the new perimeter. Attackers are no longer just looking for software flaws. They're targeting people, especially those with access and privileges. That includes your employees, partners, contractors and even automated systems. That's why privilege access management (PAM) and identity-first security strategies are so critical for Canadian businesses. These approaches don't just monitor threats; they help stop them at the source by locking down who can do what, where and when. The bottom line going forward Cybersecurity isn't about being perfect; it's about being proactive. You can have 99.9 per cent of your environment locked down, but if there's a .01 per cent vulnerability, that's all an attacker needs. Canadian organizations need to shift their mindset from reactive to proactive. That means applying patches smartly, layering defences, adopting AI cautiously and putting 'least privilege' at the heart of your security program. Because when it comes to protecting your business, every identity and every privilege matters. Dan Deganutti is the senior vice president and country manager for Canada at BeyondTrust, where he leads the company's Canadian go to market (GTM) operations and fosters relationships with clients and business partners. This section is powered by Revenue Dynamix. Revenue Dynamix provides innovative marketing solutions designed to help IT professionals and businesses thrive in the Canadian market, offering insights and strategies that drive growth and success across the enterprise IT spectrum. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Forbes
19-06-2025
- Forbes
Google Chrome Warning — Windows, Android, Mac And Linux Users Act Now
Update Chrome now. Google users are accustomed to being urged to update now, which is hardly surprising, as its products and services are a magnet for cybercriminals due to the extensive user footprint they enjoy. Google has advised users to replace all Gmail passwords and update to a passkey instead, following numerous account takeover attacks, Google Messages is getting a critical security update, and then there's Chrome, of course. Hot on the heels of a June 10 urgent Google Chrome browser security update, just a week later, the technology behemoth has confirmed yet another security scare that requires users of the world's most popular web browser across all platforms with the exception of iOS to update now. Google has now confirmed two new security vulnerabilities that impact users of Chrome across the Android, Linux, Mac and Windows platforms. The vulnerabilities, both given a high-severity rating and earning four-figure bounty rewards for the researchers who discovered and disclosed them, could enable a successful attacker to execute arbitrary code on your device with all the consequences that can bring. It is for this reason that it's vital you don't wait for the update to reach your browser in the 'coming days and weeks,' as Google noted in its June 17 confirmation, but rather kickstart that process now and ensure the security patches have been activated and are protecting your system. The two vulnerabilities are: CVE-2025-6191: An integer overflow security vulnerability in Chrome's V8. JavaScript rendering engine. CVE-2025-6192: A use-after-free security vulnerability in Chrome's Profiler function. The Google Chrome update process actually happens automatically, but, as Google has noted, it can take some days to reach your browser. When it does, you will see a notification when the update to version 137.0.7151.119/.120. This alone does not mean that you are protected; you need to activate the update in order for it to do that. Err on the side of caution and kickstart the updating process so you can be sure your browser and the data it can access are appropriately protected immediately. Kickstart your Google Chrome update now. Head for the Help menu and select About Google Chrome. This will check for and download the update, and then all you have to do is activate it for instant security from these vulnerabilities. Don't worry, your tabs will reopen as well, so you won't lose them. So, what are you waiting for? Android users simply need to update the Chrome app. Relaunch Google Chrome to activate security updates.
