The House of Representatives passed the Cybersecurity Information Sharing Act (CISA) yesterday, and it now awaits Senate approval. The bill would allow private companies to disclose cybersecurity threats from their networks without fear of privacy lawsuits or liability for doing so by providing them with immunity from civil penalties, fines and even imprisonment. It also allows any government agency receiving such information about potential breaches to share this new data with other agencies in order to protect national security interests.
The “CISA current activity” is a new patch that has been released by Mozilla. The update includes 11 vulnerabilities to its catalogue, which are mostly in the latest Firefox release.
CVE-2022-26485 and CVE-2022-26486 are two major Firefox vulnerabilities that the Cybersecurity and Infrastructure Agency (CISA) has ordered all federal civilian entities to fix by March 21. The flaws are classified as serious because they allow attackers to perform nearly any command on computers running the vulnerable browser version.
The two weaknesses are Use After Free issues that enable attackers to cause system failures and run malicious code on the target device, as well as download malware that gives them further access. Exploits are reportedly utilizing the Vulnerability to get remote code execution and escape the browser sandbox, according to Mozilla.
The CISA has also added nine more vulnerabilities to its Known Exploited Vulnerabilities Catalogue, based on evidence of threat actors exploiting them. Despite the fact that the directive only affects federal civilian agencies, the CISA has advised public and private sector organizations to repair their systems.
In the news: A ransomware gang has infiltrated 52 vital institutions; the FBI has issued a warning.
A Chinese cybersecurity firm named Qihoo 360 ATA found and reported the vulnerabilities in Firefox to Mozilla. After the problem was revealed, Mozilla released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to solve the issues.
Both vulnerabilities are Use After Free in nature, as previously stated. When a software attempts to access or utilize memory that has already been cleared, this error occurs. Exploiting this flaw may cause applications to crash while also enabling instructions to be performed without authorisation at the same time. At this time, the exact manner of assault has not been revealed.
On the same day, a Vulnerability in the VMware vCenter server must be addressed. There were a total of 11 vulnerabilities added to the database, including the ones listed above.
|CVE Code||Vulnerability||Due Date|
|CVE-2022-26486||Use-After-Free Vulnerability in Mozilla Firefox||21/03/22|
|CVE-2022-26485||Use-After-Free Vulnerability in Mozilla Firefox||21/03/22|
|CVE-2022-26485||Server Side Request Forgery in VMware vCenter Server and Cloud Foundation (SSRF)||21/03/22|
|CVE-2020-8218||Secure Code Injection Vulnerability in Pulse Connect||07/09/22|
|CVE-2019-11581||Vulnerability in Atlassian Jira Server and Data Center Server-Side Template Injection||07/09/22|
|CVE-2017-6077||Remote Code Execution Vulnerability in NETGEAR DGN2200||07/09/22|
|CVE-2016-6277||Remote Code Execution Vulnerability in NETGEAR Multiple Routers||07/09/22|
|CVE-2013-0631||Information Disclosure Vulnerability in Adobe ColdFusion||07/09/22|
|CVE-2013-0629||Vulnerability in Adobe ColdFusion Directory Traversal||07/09/22|
|CVE-2013-0625||Vulnerability in Adobe ColdFusion Authentication||07/09/22|
|CVE-2009-3960||Information Disclosure Vulnerability in Adobe BlazeDS||07/09/22|
DirtyPipe enables attackers root access on Linux distros; a fix has been issued
When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah may be reached at [email protected], or you can follow him on Instagram or Twitter.
The “latest security advisory” is a new patch released by Mozilla. The patch adds 11 vulnerabilities to its catalogue.
- cisa advisory
- firefox vulnerability 2021
- printnightmare iocs
- us cert exchange
- us cert apple