Latest news with #vulnerabilities
Forbes
a day ago
- Forbes
Camera Hacks Ongoing — America's Cyber Defense Agency Confirms
Threat actors will, truth be told, target anything and everything if it offers an opportunity to infiltrate a network or gain access to data. Perhaps the most dangerous of all are what the U.S. Cybersecurity Infrastructure and Security Agency has previously referred to as unsophisticated hackers that exploit exposed assets, including those that have not been patched for known vulnerabilities. Such is the case with this latest warning from 'America's Cyber Defense Agency' which involves active and ongoing security camera attacks. Here's what you need to know and do. Camera Hack Attacks Confirmed — What You Need To Know Not all hack attacks involve retail ransomware threats, or password theft from popular web browsers, or even Microsoft Windows, despite the number of headlines you read. Some are more niche than that. Some target the Internet of Things, with routers being an oft-reported example. Some, as CISA has now confirmed, target security cameras. The August 5 CISA security alert has warned that it has 'evidence of active exploitation' concerning a number of security cameras from D-Link. The vulnerabilities concerned, three in total and impacting five devices, have now been added to the CISA Known Vulnerabilities Catalog. The vulnerabilities are: What's intriguing, and worrying in equal measure, is that all of these vulnerabilities are not new. In fact, they are positively ancient in cybersecurity terms, dating from 2020 through 2022, and all have had firmware patches to resolve the issues. These unpatched vulnerabilities are now under active attack, CISA warned, and 'pose significant risks to the federal enterprise.' Which is why those agencies have just 21 days to get their patch management plans in order. Everyone else, however, needs to ensure that they have done the same. You can check the precise camera device firmware update requirements by following the links in the CISA alert, and users are advised to find out more by staying up to date with D-Link security bulletins.
Phone Arena
a day ago
- Phone Arena
You might be using a hacked Dell laptop right now, and wiping Windows won't save you
Dell Latitude 5450. | Image by Dell Security in the digital age is no joke and when a major breach hits, things get serious fast. Now, a wide range of newishly discovered vulnerabilities is putting millions of Dell laptops at risk – and if you are using one, especially in business or government settings, it's time to act fast. A new report reveals that more than 100 Dell laptop models, mainly from the Latitude and Precision lines used by enterprises, cybersecurity experts and government agencies, are affected by a set of critical firmware vulnerabilities. These flaws could give attackers persistent access – even if you wipe and reinstall Windows. The flaws, collectively named "ReVault", affect the Broadcom BCM5820X security chip embedded in Dell's ControlVault3 firmware. This chip is designed to protect passwords, biometric data and encryption keys – but in this case, it could do the opposite, letting attackers steal that info and stay hidden inside your system. This is how a device could be compromised. Dell has confirmed the vulnerabilities and rolled out security updates, but if you are in charge of managing a fleet of Dell machines, now is the time to make sure those updates are actually getting installed. What's ControlVault3 and why does it matter? Dell's ControlVault is a hardware-based security system – a kind of digital vault – that stores your most sensitive info, like passwords, fingerprints and security codes, outside of your regular OS. It lives on a separate board inside the laptop called the Unified Security Hub (USH) and connects to smart card readers, NFC and fingerprint scanners. Cisco Talos researchers found five major flaws in ControlVault3 and ControlVault3+ firmware: CVE-2025-24311 – Out-of-bounds read → info leak CVE-2025-25050 – Out-of-bounds write → code execution CVE-2025-25215 – Arbitrary memory free → memory corruption CVE-2025-24922 – Stack-based buffer overflow → code execution CVE-2025-24919 – Unsafe deserialization in Windows APIs Each of these scored above 8.0 on the CVSS scale, making them high-severity. Combined, they can be used in extremely dangerous ways – including full system compromise. The worst part? These flaws can survive a full Windows reinstall. Because the vulnerabilities sit below the OS in the firmware layer, they can give attackers persistent access – and antivirus software won't catch it. The research team showed how even non-admin users can trigger these flaws through Windows APIs, potentially stealing cryptographic keys and modifying the firmware itself. And even without remote access, an attacker with just a few minutes of physical access could open the laptop and connect directly to the USH board via USB, bypassing system login and even full-disk encryption. And yeah, it gets wild – the researchers showed how they could trick a compromised ControlVault chip to accept any fingerprint, including objects like vegetables, as valid biometric input. What should users and admins do? First, update now. Dell has been releasing firmware patches and drivers since March 2025 and in many cases, they are being pushed through Windows Update. The researchers also recommend: Disabling ControlVault services/devices if you are not using fingerprint, smart card, or NFC readers. Turning off biometric login when leaving your laptop unattended. Using Enhanced Sign-In Security (ESS) in Windows for extra protection against physical tampering. Enabling chassis intrusion detection in BIOS, if available. Also, endpoint detection tools could help flag suspicious firmware access attempts, and unexplained crashes in Windows Biometric or Credential Vault services could be signs something's wrong. Why this matters more than ever Firmware components like ControlVault are full computing systems on their own – they've got memory, processors and software. And that means attackers exploiting them can sidestep traditional OS-level protections completely. – Cisco Talos researchers, August, 2025 Bottom line: firmware vulnerabilities like ReVault are dangerous, sneaky, and easy to overlook. If you are running a Dell business laptop, this isn't one to ignore.
Phone Arena
a day ago
- Phone Arena
Does today's Pixel update exterminate the bug you've been praying that Google would fix?
The Android 16 monthly update for August has been released by Google and can be installed on compatible Pixel phones. Which models are those? Glad you asked. Those models include the Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro , Pixel 9 Pro XL, Pixel 9 Pro Fold, and Pixel 9a. If you have one of those devices, go to Settings > System > Software update . I have yet to receive the update on my Pixel 6 Pro running the latest Android 16 QPR1 Beta release. If your Pixel does have the August 1st update, it will mention the three vulnerabilities fixed with the 2025-08-01 security patch. The three vulnerabilities include two deemed to be high in severity, while one is listed as critical. Three new Android vulnerabilities are patched by the Android Security Update. | Image credit-Google The most severe vulnerability among this group could lead to "the local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation." This means that the attacker needs to have access to the device through a malicious app you've installed, or even a file you downloaded on your device. If successful in getting you to download the app or files, the attacker can raise his level of control over your device to a higher level than initially granted. For example, an app might have the ability to see your photos but, by raising its privilege level the attacker could end up being able to steal your data or even install other malware. The attacker can start at an unprivileged level, and raise it by exploiting the flaw. The vulnerability cannot be exploited without the phone user taking some action to get the ball rolling. Such action could include: Clicking on a malicious link. Opening a PDF, an image file, or another crafted file. Installing a malicious app. The vulnerability rated critical can be exploited remotely over a network like the Internet. The attacker does not need to have physical control of your phone or trick you into installing a malicious app. With code execution, the bad actor can run his own code on your device, allowing him to steal your personal data, install malware, and take control of your device. The attacker must exploit at least one other bug to successfully execute this plan. That makes it harder to pull off. SYSTEM All Pixel models, including the Pixel 6 and later, will see "General improvements for system stability and performance in certain conditions." USER INTERFACE All Pixel models, including the Pixel 6 and later, get a fix for an issue where the scheduled dark theme wasn't working under certain conditions. All Pixel models, including the Pixel 6 and later, get a fix for issues involving the 3-button and gesture navigation options in certain conditions. If you're wondering when the next Pixel Feature Drop is coming, one rumored date is Wednesday, September 3rd. That could be when Google drops the next Quarterly Platform Release (QPR). So if you are currently running the Android 16 QPR1 Beta and want to return to the stable version of Android without having to wipe your data, you'll be able to do that when Google releases Android 16 QPR1. On September 3rd, or whatever the date is when Google does release Android 16 QPR1, go to the Android Beta for Pixel website by tapping on this link or directing your browser to Click on the box that says "View your eligible devices," and you'll be sent to a part of the site that shows a picture of your Pixel model. Underneath that will be a box prompting you to exit the Beta by tapping on it. Do that and check for a software update that will arrive within the next 24 hours. Install the update and you'll be back on the stable Android track. You must wait until the Android 16 QPR1 update has been released, or else you'll be in for a nasty surprise! (Your apps and personal data will be wiped from your phone).
Yahoo
3 days ago
- Yahoo
Google says its AI-based bug hunter found 20 security vulnerabilities
Google's AI-powered bug hunter has just reported its first batch of security vulnerabilities. Heather Adkins, Google's vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software. Adkins said that Big Sleep, which is developed by the company's AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick. Given that the vulnerabilities are not fixed yet, we don't have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case. 'To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,' Google's spokesperson Kimberly Samra told TechCrunch. Royal Hansen, Google's vice president of engineering, wrote on X that the findings demonstrate 'a new frontier in automated vulnerability discovery.' LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there's RunSybil and XBOW, among others. XBOW has garnered headlines after it reached the top of one of the U.S. leaderboards at bug bounty platform HackerOne. It's important to note that in most cases, these reports have a human at some point of the process to verify that the AI-powered bug hunter found a legitimate vulnerability, as is the case with Big Sleep. Vlad Ionescu, co-founder and chief technology officer at RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch that Big Sleep is a 'legit' project, given that it has 'good design, people behind it know what they're doing, Project Zero has the bug finding experience and DeepMind has the firepower and tokens to throw at it.' There is obviously a lot of promise with these tools, but also significant downsides. Several people who maintain different software projects have complained of bug reports that are actually hallucinations, with some calling them the bug bounty equivalent of AI slop. 'That's the problem people are running into, is we're getting a lot of stuff that looks like gold, but it's actually just crap,' Ionescu previously told TechCrunch. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
TechCrunch
3 days ago
- TechCrunch
Google says its AI-based bug hunter found 20 security vulnerabilities
Google's AI-powered bug hunter has just reported its first batch of security vulnerabilities. Heather Adkins, Google's vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software. Adkins said that Big Sleep, which is developed by the company's AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image editing suite ImageMagick. Given that the vulnerabilities are not fixed yet, we don't have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case. 'To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,' Google's spokesperson Kimberly Samra told TechCrunch. Royal Hansen, Google's vice president of engineering, wrote on X that the findings demonstrate 'a new frontier in automated vulnerability discovery.' LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there's RunSybil, and XBOW, among others. Techcrunch event Tech and VC heavyweights join the Disrupt 2025 agenda Netflix, ElevenLabs, Wayve, Sequoia Capital — just a few of the heavy hitters joining the Disrupt 2025 agenda. They're here to deliver the insights that fuel startup growth and sharpen your edge. Don't miss the 20th anniversary of TechCrunch Disrupt, and a chance to learn from the top voices in tech — grab your ticket now and save up to $675 before prices rise. Tech and VC heavyweights join the Disrupt 2025 agenda Netflix, ElevenLabs, Wayve, Sequoia Capital — just a few of the heavy hitters joining the Disrupt 2025 agenda. They're here to deliver the insights that fuel startup growth and sharpen your edge. Don't miss the 20th anniversary of TechCrunch Disrupt, and a chance to learn from the top voices in tech — grab your ticket now and save up to $675 before prices rise. San Francisco | REGISTER NOW XBOW has garnered headlines after it reached the top of one of the U.S. leaderboards at bug bounty platform HackerOne. It's important to note that in most cases, these reports have a human at some point of the process to verify that the AI-powered bug hunter found a legitimate vulnerability, as is the case with Big Sleep. Vlad Ionescu, co-founder and chief technology officer at RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch that Big Sleep is a 'legit' project, given that it has 'good design, people behind it know what they're doing, Project Zero has the bug finding experience and DeepMind has the firepower and tokens to throw at it.' There is obviously a lot of promise with these tools, but also significant downsides. Several people who maintain different software projects have complained of bug reports that are actually hallucinations, with some calling them the bug bounty equivalent of AI slop. 'That's the problem people are running into, is we're getting a lot of stuff that looks like gold, but it's actually just crap,' Ionescu previously told TechCrunch.
