The Certification Authority/Browser Forum "is a cross-industry group that works together to develop minimum requirements for TLS certificates," writes Google's Security blog. And earlier this month two proposals from Google's forward-looking roadmap "became required practices in the CA/Browser Forum Baseline Requirements," improving the security and agility of TLS connections... Multi-Perspective Issuance Corroboration
Before issuing a certificate to a website, a Certification Authority (CA) must verify the requestor legitimately controls the domain whose name will be represented in the certificate. This process is referred to as "domain control validation" and there are several well-defined methods that can be used. For example, a CA can specify a random value to be placed on a website, and then perform a check to verify the value's presence has been published by the certificate requestor.

Despite the existing domain control validation requirements defined by the CA/Browser Forum, peer-reviewed research authored by the Center for Information Technology Policy of Princeton University and others highlighted the risk of Border Gateway Protocol (BGP) attacks and prefix-hijacking resulting in fraudulently issued certificates. This risk was not merely theoretical, as it was demonstrated that attackers successfully exploited this vulnerability on numerous occasions, with just one of these attacks resulting in approximately $2 million dollars of direct losses.

The Chrome Root Program led a work team of ecosystem participants, which culminated in a CA/Browser Forum Ballot to require adoption of MPIC via Ballot SC-067. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on MPIC as part of their certificate issuance process. Some of these CAs are relying on the Open MPIC Project to ensure their implementations are robust and consistent with ecosystem expectations...

Linting
Linting refers to the automated process of analyzing X.509 certificates to detect and prevent errors, inconsistencies, and non-compliance with requirements and industry standards. Linting ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication. Linting can expose the use of weak or obsolete cryptographic algorithms and other known insecure practices, improving overall security... The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on linting as part of their certificate issuance process.
Linting also improves interoperability, according to the blog post, and helps reduce the risk of non-compliance with standards that can result in certificates being "mis-issued".

And coming up, weak domain control validation methods (currently permitted by the CA/Browser Forum TLS Baseline Requirements) will be prohibited beginning July 15, 2025.

"Looking forward, we're excited to explore a reimagined Web PKI and Chrome Root Program with even stronger security assurances for the web as we navigate the transition to post-quantum cryptography."

Windows Defender has begun identifying WinRing0 -- a kernel-level driver used by numerous hardware monitoring applications -- as malicious software, causing widespread functionality issues for affected tools. The driver, which provides low-level hardware access necessary for reading fan speeds, controlling RGB lighting, and monitoring system components, is being quarantined due to potential security vulnerabilities that could be exploited by malware.

WinRing0 gained popularity among developers because it's one of only two freely available Windows drivers capable of accessing the SMBus registers needed for hardware monitoring functions. The affected applications include Fan Control, OpenRGB, MSI Afterburner, LibreHardwareMonitor, and multiple others that rely on this driver to communicate with system hardware.

CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

A malicious PyPi package effectively turned its users' systems "into an illicit network for facilitating bulk music downloads," writes The Hacker News.

Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.

Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...

Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...
"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."

An anonymous reader quotes a report from Ars Technica: Amnesty International on Friday said it determined that a zero-day exploit sold by controversial exploit vendor Cellebrite was used to compromise the phone of a Serbian student who had been critical of that country's government. [...] The chain exploited a series of vulnerabilities in device drivers the Linux kernel uses to support USB hardware. "This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite," authors of the report wrote.

Amnesty International first discovered evidence of the attack chain last year while investigating a separate incident outside of Serbia involving the same Android lockscreen bypass. [...] The report said that one of the vulnerabilities, tracked as CVE-2024-53104, was patched earlier this month with the release of the February 2025 Android Security Bulletin. Two other vulnerabilities -- CVE-2024-53197 and CVE-2024-50302 -- have been patched upstream in the Linux kernel but have not yet been incorporated into Android. Forensic traces identified in Amnesty International's analysis of the compromised phone showed that the Serbian authorities tried to install an unknown application after the device had been unlocked. The report authors said the installation of apps on Cellebrite-compromised devices was consistent with earlier cases the group has uncovered in which spyware tracked as NoviSpy spyware were installed.

As part of the attack, the USB port of the targeted phone was connected to various peripherals during the initial stages. In later stages, the peripherals repeatedly connected to the phone so they could "disclose kernel memory and groom kernel memory as part of the exploitation." The people analyzing the phone said the peripherals were likely special-purpose devices that emulated video or sound devices connecting to the targeted device. The 23-year-old student who owned the phone regularly participates in the ongoing student protests in Belgrade. Any Android users who have yet to install the February patch batch should do so as soon as possible.

North Korean hackers have executed the largest cryptocurrency theft in history, draining $1.5 billion from Dubai-based exchange Bybit by compromising its multisignature cold wallet system. The attackers stole over 400,000 ethereum and staked ethereum coins without exploiting code vulnerabilities or infrastructure.

Security researchers from Elliptic identified North Korean signatures in the subsequent laundering operations, consistent with the nation's ongoing cryptocurrency theft operations that fund its weapons programs. Investigators determined the hackers manipulated the user interfaces on multiple Bybit employees' devices simultaneously, tricking authorized personnel into approving what appeared to be legitimate transactions. This sophisticated attack "altered the smart contract logic and masked the signing interface," according to Bybit's disclosure.

"The Bybit hack has shattered long-held assumptions about crypto security," noted researchers at Check Point. "No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link."

Google is preparing to abandon SMS verification codes for Gmail authentication in favor of QR codes, Gmail spokesperson Ross Richendrfer told Forbes. The move aims to address significant security vulnerabilities inherent in SMS-based verification while combating fraudulent exploitation of Google's messaging infrastructure, he said.

"Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication," Richendrfer said. The transition will target "rampant, global SMS abuse" that undermines security and enables criminal schemes. SMS verification currently serves dual purposes at Google: confirming user identity and preventing service abuse. However, these codes are vulnerable to phishing, dependent on carrier security practices, and frequently exploited in "traffic pumping" scams where fraudsters profit from artificially triggered SMS messages.

The forthcoming implementation will display QR codes that users scan with their phone cameras instead of entering six-digit codes. This approach eliminates shareable verification codes and reduces dependency on telecom carriers. The changes will roll out "over the next few months," the company said.

A recently patched Palo Alto Networks vulnerability (CVE-2025-0108) is being actively exploited alongside two older flaws (CVE-2024-9474 and CVE-2025-0111), allowing attackers to gain root access to unpatched firewalls. The Register reports: This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed an OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The company patched it in November 2024. Dark web intelligence services vendor Searchlight Cyber's Assetnote team investigated the patch for CVE-2024-9474 and found another authentication bypass.

Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication "and invoke certain PHP scripts." Those scripts could "negatively impact integrity and confidentiality of PAN-OS."

The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the "nobody" user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it's observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor's not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall. PAN is urging users to upgrade their PAN-OS operating systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. A general hotfix is expected by Thursday or sooner, notes the Register.

Apple has released emergency security updates for iOS 18.3.1 and iPadOS 18.3.1 to patch a zero-day vulnerability (CVE-2025-24200) that was exploited in "extremely sophisticated," targeted attacks. The flaw, which allowed a physical attack to disable USB Restricted Mode on locked devices, was discovered by Citizen Lab and may have been used in spyware campaigns; users are strongly advised to install the update immediately. BleepingComputer reports: USB Restricted Mode is a security feature (introduced almost seven years ago in iOS 11.4.1) that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.

In November, Apple introduced another security feature (dubbed "inactivity reboot") that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software. The zero-day vulnerability (tracked as CVE-2025-24200 and reported by Citizen Lab's Bill Marczak) patched today by Apple is an authorization issue addressed in iOS 18.3.1 and iPadOS 18.3.1 with improved state management.

The list of devices this zero-day impacts includes: - iPhone XS and later,
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

Joseph Firmage, a former Silicon Valley prodigy who built a $2.5 billion web services company in the 1990s, is now being sued by investors who claim he defrauded them through an alleged antigravity machine scheme. In 1998, at the height of his success as CEO of USWeb, Firmage claimed an alien appeared in his bedroom, derailing his corporate career. He then spent decades pursuing UFO research and attempting to develop antigravity propulsion technology, raising millions from investors.

Court documents allege Firmage and associates are responsible for roughly $25 million in losses through various companies and schemes. Some investors say he used elaborate ruses, including people impersonating government officials, to solicit funds. Firmage, currently in jail on elder abuse charges, maintains he was actually the victim of international scammers who exploited his access to investors.

An anonymous reader quotes a report from The Verge: The Biden administration finalized a new rule that would effectively ban all Chinese vehicles from the US under the auspices of blocking the "sale or import" of connected vehicle software from "countries of concern." The rule could have wide-ranging effects on big automakers, like Ford and GM, as well as smaller manufacturers like Polestar -- and even companies that don't produce cars, like Waymo. The rule covers everything that connects a vehicle to the outside world, such as Bluetooth, Wi-Fi, cellular, and satellite components. It also addresses concerns that technology like cameras, sensors, and onboard computers could be exploited by foreign adversaries to collect sensitive data about US citizens and infrastructure. And it would ban China from testing its self-driving cars on US soil.

"Cars today have cameras, microphones, GPS tracking, and other technologies connected to the internet," US Secretary of Commerce Gina Raimondo said in a statement. "It doesn't take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of U.S. citizens. To address these national security concerns, the Commerce Department is taking targeted, proactive steps to keep [People's Republic of China] and Russian-manufactured technologies off American roads." The rules for prohibited software go into effect for model year 2027 vehicles, while the ban on hardware from China waits until model year 2030 vehicles. According to Reuters, the rules were updated from the original proposal to exempt vehicles weighing over 10,000 pounds, which would allow companies like BYD to continue to assemble electric buses in California. The Biden administration published a fact sheet with more information about this rule.

"[F]oreign adversary involvement in the supply chains of connected vehicles poses a significant threat in most cars on the road today, granting malign actors unfettered access to these connected systems and the data they collect," the White House said. "As PRC automakers aggressively seek to increase their presence in American and global automotive markets, through this final rule, President Biden is delivering on his commitment to secure critical American supply chains and protect our national security."

U.S. software giant Ivanti has warned that a zero-day vulnerability in its widely-used enterprise VPN appliance has been exploited to compromise the networks of its corporate customers. From a report: Ivanti said on Wednesday that the critical-rated vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products. Ivanti says its Connect Secure remote-access VPN solution is "the most widely adopted SSL VPN by organizations of every size, across every major industry."

This is the latest exploited security vulnerability to target Ivanti's products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers. The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.

"Millions of computers are heading towards a security crisis as Microsoft plans to end support for Windows 10 on October 14, 2025," writes BetaNews: 32 million devices — roughly 65 percent of household computers in Germany — are still running the aging operating system. In the DACH region, including Austria and Switzerland, over 35 million systems rely on Windows 10, leaving millions of users exposed to potential cyberattacks once updates stop. By contrast, only about 33 percent of German devices have transitioned to Windows 11, and over a million are still running even older systems like Windows 8, 7, or XP.

Thorsten Urbanski, an IT security expert at ESET, is sounding the alarm. "It's five minutes to midnight to prevent a security fiasco in 2025. We strongly urge users not to wait until October. Upgrade to Windows 11 now or choose an alternative operating system if your device cannot support the latest version. Otherwise, users are exposing themselves to significant security risks, including dangerous cyberattacks and data breaches...."

Urbanski also points out that the current situation is worse than when Windows 7 support ended in 2020. By late 2019, over 70 percent of users had already switched to Windows 10, while only about 20 percent remained on Windows 7. Today, the transition to Windows 11 is far slower, creating a dangerous environment. "Cybercriminals know these numbers well and are waiting for the end-of-support date. Once that hits, vulnerabilities will be exploited en masse."
"Those unable to move to Windows 11 are being advised to consider Linux as a secure alternative, especially for older hardware."

Thanks to Slashdot reader BrianFagioli for sharing the news.

Since 2021, Apple has been sending threat notifications to certain users, informing them that they may have been individually targeted by mercenary spyware attacks. When victims of spyware reach out to Apple for help, TechCrunch reports, "Apple doesn't tell the targets to get in touch with its own security engineers." Instead, Apple directs them to the nonprofit security lab Access Now, "which runs a digital helpline for people in civil society who suspect they have been targets of government spyware."

While some view this as Apple sidestepping responsibility, cybersecurity experts agree that Apple's approach -- alerting victims, directing them to specialized support, and recommending tools like Lockdown Mode -- has been a game changer in combating mercenary spyware threats. From the report: For people who investigate spyware, Apple sharing spyware notifications with victims represented a turning point. Before the notifications, "We were just like in the dark, not knowing who to check," according to Access Now's legal counsel Natalia Krapiva. "I think it's one of the greatest things that's happened in the sphere of this kind of forensic investigations and hunting of sophisticated spyware," Krapiva told TechCrunch.

Now, when someone or a group of people get a notification from Apple, they are warned that something potentially anomalous is happening with their device, that someone is targeting them, and that they need to get help. And Apple tells them exactly where to get it, according to Scott-Railton, who said Access Now's helpline is the right place to go because "the helpline is able to do good, systematic triage work and support." Krapiva said that the helpline is staffed by more than 30 people, supported by others who work in other departments of the nonprofit. So far in 2024, Krapiva said Access Now received 4,337 tickets through the helpline.

For anyone alerted by a notification, Apple tells those targets and victims of spyware to update their iOS software and all their apps. Apple also suggests the user switches on Lockdown Mode, an opt-in iOS security feature that has stopped spyware attacks in the past by limiting device features that are often exploited to plant spyware. Apple said last year that it is not aware of any successful spyware infection against someone who used Lockdown Mode.

A U.S. judge has ruled that Israeli spyware maker NSO Group breached hacking laws by using WhatsApp to infect devices with its Pegasus spyware. From a report: In a historic ruling on Friday, a Northern California federal judge held NSO Group liable for targeting the devices of 1,400 WhatsApp users, violating state and federal hacking laws as well as WhatsApp's terms of service, which prohibit the use of the messaging platform for malicious purposes.

The ruling comes five years after Meta-owned WhatsApp sued NSO Group, alleging the spyware outfit had exploited an audio-calling vulnerability in the messaging platform to install its Pegasus spyware on unsuspecting users' devices. WhatsApp said that more than 100 human rights defenders, journalists and "other members of civil society" were targeted by the malware, along with government officials and diplomats. In her ruling, Judge Phyllis Hamilton said NSO did not dispute that it "must have reverse-engineered and/or decompiled the WhatsApp software" to install its Pegasus spyware on devices, but raised questions about whether it had done so before agreeing to WhatsApp's terms of service.

The Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the "primary" countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden. 404 Media: The news provides more context around use of SS7, the exploited network and protocol, against phones in the country. In May, 404 Media reported that an official inside DHS's Cybersecurity Insurance and Security Agency (CISA) broke with his department's official narrative and publicly warned about multiple SS7 attacks on U.S. persons in recent years. Now, the newly disclosed information provides more specifics on where at least some SS7 attacks are originating from.

The information is included in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017 DHS personnel gave a presentation on SS7 security threats at an event open to U.S. government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the "primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers," it continues.

chiguy writes: In October, a jury in a federal class-action lawsuit returned a verdict that found Cognizant intentionally discriminated against more than 2,000 non-Indian employees between 2013 and 2022. The verdict, which echoed a previously undisclosed finding from a 2020 US Equal Employment Opportunity Commission investigation, centered on discrimination claims based on race and national origin. Cognizant, based in Teaneck, New Jersey, was found to have preferred workers from India, most of whom joined the firm's US workforce of about 32,000 using skilled-worker visas called H-1Bs.

The case is part of a wave of recent discrimination claims against IT outsourcing companies that underscore growing concerns that these firms have exploited a broken employment-visa system to secure a cheaper, more malleable workforce. In the process, US workers say they've been disadvantaged. The industry, which provides computer services to other companies, makes extensive use of H-1Bs; over the past decade and a half, no employer has obtained more of them than Cognizant, federal records show.

An anonymous reader quotes a report from TechCrunch: Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. RomCom is a cybercrime group that is known to carry out cyberattacks and other digital intrusions for the Russian government. The group -- which was last month linked to a ransomware attack targeting Japanese tech giant Casio -- is also known for its aggressive stance against organizations allied with Ukraine, which Russia invaded in 2014.

Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs -- described as such because the software makers had no time to roll out fixes before they were used to hack people -- to create a "zero click" exploit, which allows the hackers to remotely plant malware on a target's computer without any user interaction. "This level of sophistication demonstrates the threat actor's capability and intent to develop stealthy attack methods," ESET researchers Damien Schaeffer and Romain Dumont said in a blog post on Monday. [...] Schaeffer told TechCrunch that the number of potential victims from RomCom's "widespread" hacking campaign ranged from a single victim per country to as many as 250 victims, with the majority of targets based in Europe and North America. Mozilla and the Tor Project quickly patched a Firefox-based vulnerability after being alerted by ESET, with no evidence of Tor Browser exploitation. Meanwhile, Microsoft addressed a Windows vulnerability on November 12 following a report by Google's Threat Analysis Group, indicating potential use in government-backed hacking campaigns.

Palo Alto Networks boasts 70,000 customers in 150 countries, including 85% of the Fortune 500.

But this week "thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bug," reports the Register: The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware. Roughly 2,000 devices had been hijacked as of Wednesday — a day after Palo Alto Networks pushed a patch for the holes — according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800. The vendor, however, continues to talk only of a "limited number" of exploited installations... The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor.

Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day — but it was still working on a patch. On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474. The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface... once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz threat researchers.

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.