Latest news with #CVE2025
Forbes
3 days ago
- Business
- Forbes
Google Issues Emergency Update For All 3 Billion Chrome Users
Update all browsers now. Google has suddenly released an emergency Chrome update, warning that a vulnerability discovered by its Threat Analysis Group has been used in attacks. Such is the severity of the risk, that Google also confirmed that ahead of this update, The issue 'was mitigated on 2025-05-28 by a configuration change' pushed out to all platforms. Google says it 'is aware that an exploit for CVE-2025-5419 exists in the wild,' and that full access to details on the vulnerability will 'be be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.' CVE-2025-5419 is an out of bounds read and write in V8, the type of dangerous memory flaw typically found and fixed on the world's most popular browser. While it's only marked as high-severity, the fact attacks are underway means apply the fix is critical. There is already a U.S. government mandate for federal staff to update Chrome by Thursday or stop using the browser, after a separate attack warning. And there has been another high-severity fix since then, with two separate fixes. It is inevitable that this latest warning and update will also prompt CISA to issue a 21-day update mandate. There is a second fix included in this emergency update — CVE-2025-5068 is another memory issue, a 'use after free in Blink,' that was disclosed by an external researcher. NIST warns that CVE-2025-5419 'allows a remote attacker to potentially exploit heap corruption via a crafted HTML page,' and that it applies across Chromium, suggesting other browsers will also issue emergency patches. As usual, you should a flag on your browser that see the update has downloaded. You need to restart Chrome to ensure it takes full effect. All your normal tabs will then reopen — unless you elect not to do that. But your Incognito tabs will not reopen, so make sure you save any work or copy down any URLs you want to revisit.
Forbes
4 days ago
- General
- Forbes
Linux Passwords Warning — 2 Critical Vulnerabilities, Millions At Risk
Beware this Linux password vulnerability. Although most critical security warnings that hit the headlines impact users of Microsoft's Windows operating systems, and occasionally Apple's iOS and macOS, Critical Linux security vulnerabilities are a much rarer occurrence. As news of not one, but two, such Linux vulnerabilities breaks, millions of users are advised that their passwords and encryption keys could be at risk of compromise. Here's what you need to know and do. When security experts from a renowned threat research unit discover not one, but two, critical local information disclosure vulnerabilities impacting millions of Linux users, it would be an understatement to say that this is a cause for concern. When those same security researchers develop proof of concepts for both vulnerabilities, across a handful of Linux operating systems, the concern level goes through the roof. The vulnerabilities, impacting the Ubuntu core-dump handler known as Apport, and Red Hat Enterprise Linux 9 and 10, plus Fedora, with the systemd-coredump handler, are both of the race-condition variety. Put simply, this is where event timing can cause errors or behaviours that are unexpected at best, critically dangerous at worst. The vulnerabilities uncovered by the Qualys threat research unit fall into the latter category. Exploiting CVE-2025-5054 and CVE-2025-4598, Saeed Abbasi, a manager with the Qualys TRU, said, could 'allow a local attacker to exploit a Set-User-ID program and gain read access to the resulting core dump.' Because both impacted tools are designed to deal with crash reporting, they are well-known targets for attackers looking to exploit vulnerabilities to access the data contained within those core dumps. Abbasi conceded that there are plenty of modern mitigations against such risk, including systems that direct core dumps to secure locations, for example, 'systems running outdated or unpatched versions remain prime targets,' for the newly disclosed vulnerabilities. Abbasi went on to warn that the successful exploitation of these Linux vulnerabilities could lead to the extraction of 'sensitive data, like passwords, encryption keys, or customer information from core dumps.' All users are urged to mitigate that risk by prioritizing patching and increasing access controls. Abbasi said that when it comes to the Apport vulnerability, Ubuntu 24.04 is affected, including all versions of Apport up to 2.33.0 and every Ubuntu release since 16.04. For the systemd-coredump, vulnerability, meanwhile, Abbasi warned that Fedora 40/41, Red Hat Enterprise Linux 9, and the recently released RHEL 10 are vulnerable. I have reached out to Canonical and Red Hat for a statement regarding the Linux password exposure threats.
Forbes
09-05-2025
- Forbes
Microsoft Confirms Critical 10/10 Cloud Security Vulnerability
Microsoft confirms 10/10 Azure vulnerability. SOPA Images/LightRocket via Getty Images It's not often that a truly critical security vulnerability emerges that hits the maximum Common Vulnerability Scoring System severity rating of 10. This is one of those times. Microsoft has confirmed multiple vulnerabilities rated as critical and impacting core cloud services, one of which has reached the unwelcome heights of that 10/10 criticality rating. The good news is that none are known to have been exploited in the wild, none have already been publicly disclosed, and as a user, there's nothing you need to do to protect your environment. A total of four cloud security vulnerabilities have been confirmed by Microsoft, one of which hit the 10/10 rating, but two aren't a million miles short, both being given 9.9 ratings. The final vulnerability remains critical, with a CVSS severity rating of 9.1. Let's look at them in order of their criticality. CVE-2025-29813 Critical Rating: 10.0 Azure DevOps Elevation of Privilege Vulnerability Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. 'To exploit this vulnerability,' Microsoft said, 'an attacker would first have to have access to the project and swap the short-term token for a long-term one.' CVE-2025-29972 Critical Rating: 9.9 Azure Storage Resource Provider Spoofing Vulnerability Microsoft said that this Azure server-side request forgery vulnerability could allow an authorized attacker to perform 'spoofing' over a network. In other words, a successful threat actor could exploit this vulnerability to distribute malicious requests that impersonate legitimate services and users. CVE-2025-29827 Critical Rating: 9.9 Azure Automation Elevation of Privilege Vulnerability Yet another Azure security vulnerability with an unbelievably high official severity rating of 9.9, this time enabling a successful hacker to elevate privileges across the network thanks to an improper authorization issue in Azure Automation. CVE-2025-47733 Critical Rating: 9.1 Microsoft Power Apps Information Disclosure Vulnerability Hooray, not Azure this time, and dropping on the criticality rating scale to a 9.1 as well. This vulnerability, as the name suggests, would allow an attacker to disclose information over the network. It's another server-side request forgery vulnerability but this time impacting Microsoft Power Apps. Here's the really good news among the bad critical vulnerability disclosure stuff: there is no patch to install, no updates to deploy, and no action required by the user at all. 'This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take,' Microsoft said with regard to each of the cloud security issues mentioned. That's because it comes under the remit of what the Microsoft Security Response Center refers to as a commitment to provide comprehensive vulnerability information to customers, by detailing cloud service CVEs once they have been patched internally. 'In the past,' Microsoft said, 'cloud service providers refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required.' With the value of full transparency now properly understood, all that has changed. 'We will issue CVEs for critical cloud service vulnerabilities,' Microsoft confirmed, 'regardless of whether customers need to install a patch or to take other actions to protect themselves.'
Forbes
08-05-2025
- Forbes
Check Your Phone Before Apps Stop Working This Month
Be warned — everything changes this month. There's bad news for more than a billion Android users this month. The apps on your phone may start to fail. This is deliberate, and follows a huge change Google has just made to the way Play Store operates. That's not the only issue. Those same billion users also now face a critical new security threat, after another change from Google. All this stems from the Android OS version running on your phone. While the Android 15 upgrade and latest Android 16 beta steal the headlines, more than half of all Android users still run phones on Android 12 or older. Take a look at Android's monthly security bulletins and you'll spot that while Android 12 was updated with critical fixes in March, come April and May that stopped. Only Android 13, 14 and 15 received updates. That means that Google's warning this week that Android is under attack is a major concern for those users. CVE-2025-27363 has only been fixed for Android 13 and 14. But there's another major new issue as well, one with even more serious long-term implications for the way in which those billion phones work moving forward. Starting this month, Google has changed the way in which its Play Integrity API works. This enables developers to change how their apps run depending upon the OS on a phone and the recency of security updates. And in this, Google has drawn a line between Android 13 and newer on one side, and Android 12 and older on the other. For Android 12 and below, Google says 'this update gives apps with higher security needs, like banking and finance apps, governments, and enterprise apps, more ways to tailor their level of protection for sensitive features, like transferring money. When the strong label isn't available for the user, we recommend that you have a fallback option.' That 'fallback option' means restrictions and reduced functionality. This means you now have two good reasons to check the Android version on your phone. If it's Android 12 or less, check if you can upgrade to a newer version of the OS. If you can't and if your OEM has not confirmed it is backporting Android updates for your OS, then you should upgrade your phone to something newer. If you're sticking with Android 12, then make sure you run good security software on your device — and be prepared for some apps to stop working properly from this month.
