Google 'Big Sleep' LLM Tool Finds Zero-Day Vulnerability; Microsoft Recall Rollout Delayed Again; Okta Fixes Authorization Bypass Vulnerability

A November 1 blog post from Google's Project Zero details "possibly the first example of an AI agent finding an exploitable memory safety issue in real-world software," in which their LLM, Project Naptime -- now "Big Sleep," involving both Google and DeepMind -- uncovered a stack-based buffer overflow in the SQLite open source database engine. Rather than open-ended searching, the project has been targeting in-the-wild vulnerabilities by looking for variations on patched flaws. Big Sleep took a known vulnerability as a starting point and investigated recent commits for similar security issues, finding the vulnerability in code yet to be released. Once discovered and disclosed, the flaw was patched by SQLite the same day. Google reports that its AFL fuzzer "has reached a natural saturation point" in its ability to uncover bugs in SQLite; 150 CPU-hours of fuzzing did not detect the same issue. The team still believes a "target-specific fuzzer" would have similar efficacy, but is optimistic about AI's potential for helping defenders gain an "asymmetric advantage."

Read more in

Already held back twice since Microsoft's release of the AI-capable Copilot Plus PC in June 2024, the Recall tool has been delayed again until December, 2024, "pending further internal review," possibly due to privacy and security risks. The feature is meant to allow search, retrieval, and timeline-based browsing of anything previously displayed on screen, by using AI to continually capture and analyze screenshots. Recall has been hailed since its announcement as a cybersecurity "disaster" and "privacy nightmare," as it initially included unsecured and unencrypted database storage of all its screenshots (which were unmoderated, openly storing sensitive data like credentials and bank account information, though not DRM-protected content), and opt-out model installation and activation. Since the second delay in August, Microsoft has added encryption to the screenshot database and switched to an opt-in model. The company has also confirmed that it will be possible for users to completely uninstall Recall. Microsoft characterizes this latest delay as "refin[ing] the experience;" Casey Ellis of Bugcrowd speculated to DarkReading that Microsoft is waiting to observe response to the "Computer Use" feature from Anthropic's Claude AI, which shares some functions and risks with Recall.

Read more in

Okta has published an advisory warning that long usernames (more than 52 characters) could be exploited allow bypass of Okta AD/LDAP delegated authentication (DelAuth). Additional conditions needed to be met for the exploit to work: the user needs to have previously authenticated, creating an authentication cache. The issue did not affect organizations using multi-factor authentication (MFA). The flaw was introduced in a July 2024 update; Okta discovered the problem and it 'was resolved in Okta's production environment on October 30, 2024.'

Read more in

In a blog post, Microsoft Threat Intelligence writes that over the last 14 months, they have 'observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks.' The source of the attacks appears to be a covert network made up of compromised small office and home office (SOHO) routers used by Chinese state-sponsored threat actors. Microsoft has notified customers affected by this activity.

Read more in

The San Joaquin County, California Superior Court became aware of 'unusual activity' on some of their systems in late October. They isolated their systems from the Internet, which has disrupted the availability of certain public services, including phones and fax lines, websites that contain reporting instructions for jurors, and 'all online services, including e-filing, on-line dispute resolution, support tickets, and online payments are temporarily unavailable.'

Read more in

Ireland's South East Technological University (SETU) Waterford campus notified students that the institution is 'actively dealing with a cybersecurity incident that has targeted [their] IT systems.' SETU cancelled classes scheduled for Monday, November 4th; they expect classes to resume on Tuesday the 5th, but caution that staff and students may still experience disruptions.

Read more in

On October 19, 2024, the Colorado Department of State issued a press release addressing "over 600 BIOS passwords for voting system components in 63 of the state's 64 counties ... not encrypted or otherwise protected," which were accessible for at least two months in a publicly hosted spreadsheet. The release refers to "partial passwords," stating that two separately held passwords must be entered in person for each system component. Jena Griswold, Colorado Secretary of State, gives assurance that "many layers of security," both physical and digital, protect the voting system, including locked rooms secured by ID badge and access log, on-site video surveillance, intelligence clearance by background check, and direct employee supervision. With support from Governor Jared Polis, technicians were sent to reset the passwords, and a team of deputized cybersecurity employees assigned to check for any evidence of tampering. Griswold's office believes the leak "does not pose an immediate security threat to Colorado's elections," nor its ballot counting process.

Read more in

The US Federal Communications Commission (FCC) will vote later this month on a proposed rulemaking that aims to improve security for undersea cables. Among the proposed changes is a prohibition against the use of services and equipment sold by certain companies in adversarial nations. The is the first time the FCCÕs undersea cable licensing rules have been meaningfully reviewed in more than 20 years. 'The Notice of Proposed Rulemaking (NPRM) in this proceeding would seek comment on how best to improve and streamline the Commission's submarine cable rules to facilitate efficient deployment of submarine cables while at the same time ensuring the security, resilience, and protection of this critical infrastructure.'

Read more in

Cisco has notified 'a limited set of CX Professional Services customers' that some of their files were among data downloaded by a threat actor from a public-facing DevHub site. The incident was disclosed last month. Cisco notes that 'the vast majority of the information on our DevHub site is software artifacts (e.g., software code, templates, and scripts) that we intentionally make publicly available.'

Read more in

In a 10-Q form filed with the SEC on October 30, containing financial information for the third calendar quarter of 2024, Meta revealed that the Consumer Financial Protection Bureau (CFPB) has been investigating the company's advertising practices and has "initiated a Notice and Opportunity to Respond and Advise (NORA) process," warning that a lawsuit may be imminent. Meta may have violated the Consumer Financial Protection Act by its acquisition and use in "certain advertising tools" of customer data from third parties. Meta deems any legal action "unwarranted," though this is the latest in a years-long series of legal threats to the company over its handling of user data.

Read more in