Check for and Fix Insecure Direct Object References in Web Apps; New Ivanti Vulnerability Amplifies Risk; Faster Patching and Broader Fixes Critical to Mitigating Software Risk

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) have published a joint cybersecurity advisory, Preventing Web Application Access Control Abuse. The document is designed “to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.”

Read more in

Ivanti has disclosed and released a fix for another vulnerability in its Endpoint Manager Mobile (EPMM) software, the second in just a week. Both vulnerabilities are being actively exploited. The more recently disclosed flaw can be exploited to perform arbitrary file writes to the EPMM server; it can be exploited in conjunction with the previously disclosed flaw to bypass administrator authentication and access control list (ACL) restrictions.

Read more in

Google has published its annual zero-day vulnerability report for 2022. Google says that in 2022, there were 40 zero-days discovered in the wild. Google’s “key takeaways” include n-day vulnerabilities functioning like 0-days on Android because of patch lag, and more than 40 percent of the 0-days found in 2022 are variants of older vulnerabilities.

Read more in

US Senator Ron Wyden (D-Oregon) has written to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice (DoJ), and the Federal Trade Commission (FTC), asking them to hold Microsoft accountable for its “negligent cybersecurity practices” that led to Chinee state-sponsored hackers gaining access to “hundreds of thousands of individual U.S. government emails” with the help of a stolen MSA encryption key. In the letter, Wyden also observes that “Microsoft never took responsibility for its role in the SolarWinds hacking campaign.”

Read more in

The Biden Administration has released its National Cyber Workforce and Education Strategy (NCWES). The strategy, which addresses both the immediate and long-term cyber workforce needs; rests on four pillars: equipping everyone with foundational cyber skills; transforming cyber education; expanding and enhancing the country’s cyber workforce; and strengthening the federal cyber workforce.

Read more in

The website of Israeli oil refining company BAZAN Group has been inaccessible to most people around the world since this past weekend following a distributed denial-of-service (DDoS) attack. The website is reportedly accessible within Israel. While the group claiming responsibility for the attack has published data it claims to have taken from BAZAN, the company says that “information and images being circulated are entirely fabricated and have no association with Bazan or its assets.”

Read more in

In an effort to improve user privacy, Apple will require app developers to provide rationales for using certain APIs in their apps. Starting later this year, Apple developers must explain in the app privacy manifest why they are using the APIs. The API categories covered by this requirement include those that access file timestamps, boot system time, available diskspace, active keyboard lists, and user defaults.

Read more in

The Pentagon is investigating what appears to be an insider compromise of US Air Force communications systems. The information was revealed in a document obtained by Forbes. The document also suggests that the same individual may have breached FBI communications. After receiving a tip, law enforcement authorities conducted a raid on the individual’s home, where they discovered “he had ‘unauthorized administrator access’ to radio communications tech used by the Air Education and Training Command (AETC), ‘affecting 17 DoD installations.’”

Read more in

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a trio of malware analysis reports about malware variants that exploit a remote command injection vulnerability in the Barracuda Email Security Gateway (ESG) Appliance. The flaw was exploited as far back as October 2022, before a patch was available. Barracuda released fixes for the vulnerability in May 2023.

Read more in

US Cyber experts are searching out malware embedded in networks that support power grids, communications systems, and water supplies at US military bases around the world. The situation began to emerge earlier this year when Microsoft detected anomalous code in telecom systems used in Guam and in the US. For months now, US officials and cyber experts have been scouring systems for the code and removing it.

Read more in