Tag

Vulnerability Disclosure

All articles tagged with #vulnerability disclosure

tech6 hours ago•47 min saved

Microsoft's crackdown on public zero-days fuels security researcher feud

Microsoft is facing backlash over its handling of zero-day exploits after a security researcher going by Nightmare Eclipse publicly posted exploit code. Microsoft says it plans to file a criminal case for failing to coordinate disclosure and has disabled Nightmare Eclipse's GitHub, GitLab, and MSRC accounts. Security researcher Kevin Beaumont notes that Microsoft has hired people with public zero-day histories and even buys exploits, raising questions about the company’s stance on “responsible disclosure” and highlighting a broader clash between vendors and researchers over vulnerability reporting.

via The Verge|

#microsoft #nightmare-eclipse #security

technology1 day ago•5 min saved

Microsoft Faces Backlash After Threatening Legal Action Over Windows Bugs

Microsoft drew sharp criticism from the cybersecurity community after threatening legal action against Nightmare Eclipse, a researcher who published six unpatched Windows zero-days outside the MSRC disclosure process, including a BlueHammer privilege-escalation proof-of-concept. Microsoft says coordinated disclosure protects customers, while researchers argue it stifles bug reporting; the dispute has led to the takedown of the researcher’s GitHub/GitLab pages and MSRC accounts, with promises of further disclosures and a broader debate over disclosure policies.

via PCMag|

#cybersecurity #microsoft #responsible-disclosure

technology1 day ago•7 min saved

Nightmare Eclipse Threatens New Windows Exploit Drop as Microsoft Clashes Over Disclosure

Disgruntled Windows zero-day hunter Nightmare Eclipse has released six zero-days (three under active exploitation) and threatens a “bone-shattering” drop on July 14, while Microsoft denounces uncoordinated disclosures, hints at legal action, and critics debate bug bounty and vulnerability disclosure practices.

via The Register|

#microsoft #nightmare-eclipse #technology

technology23 days ago•11 min saved

Hacked from Across the Globe: Yarbo Robotic Mowers Reveal Widespread Security Flaws

A security researcher demonstrates that Yarbo’s all-in-one robot lawn mowers can be hijacked remotely due to universal hardcoded root passwords and a built-in backdoor, giving access to owners’ GPS data, Wi‑Fi credentials, and camera/video feeds across thousands of devices worldwide. The demo shows remote control over mowers, potential spying on homes, and even the risk of turning devices into botnets. Yarbo says it’s working on fixes, stronger access controls, and a possible bug‑bounty program, while acknowledging security concerns and ongoing investigations.

via The Verge|

#cybersecurity #remote-access #robot-mower

technology2 years ago•4 min saved

Apple Denies Bug Bounty to Kaspersky Lab

Apple declined to pay a bug bounty to Kaspersky Lab after the Russian cybersecurity firm disclosed four zero-day vulnerabilities in iPhone software, which were allegedly used to spy on Kaspersky employees and Russian diplomats. Kaspersky suggested the vulnerabilities might have been state-sponsored, but Apple denied any collaboration with governments for spying purposes. The refusal comes amid heightened tensions between the US and Russia following the invasion of Ukraine.

via The Record from Recorded Future News|

#apple #bug-bounty #espionage

cybersecurity2 years ago•3 min saved

"Ransomware Attack on JetBrains TeamCity Exposes Critical Vulnerability"

Security researchers have observed active exploit attempts using vulnerabilities in JetBrains' TeamCity, leading to ransomware deployment. The vulnerabilities are being actively exploited in the wild, with attackers breaking into CI/CD servers and creating hundreds of accounts for later use. Due to uncoordinated disclosure between JetBrains and researchers at Rapid7, all the information required for an attacker to develop a working exploit was made public on the same day the patches were released. This has sparked a debate within the cybersecurity community about the best approach to vulnerability disclosure. Users of on-prem versions of TeamCity prior to 2023.11.4 are advised to apply the patches immediately to mitigate the risk of exploitation.

via The Register|

#cybersecurity #jetbrains #ransomware