this post was submitted on 22 Sep 2023
21 points (95.7% liked)

Technology

60105 readers
1918 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] autotldr@lemmings.world 4 points 1 year ago

This is the best summary I could come up with:


Incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation in their products has created a “huge blindspot” that’s causing a large number of offerings from other developers to go unpatched, researchers said Thursday.

Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install espionage spyware known as Pegasus.

Apple said the vulnerability, tracked as CVE-2023-41064, stemmed from a buffer overflow bug in ImageIO, a proprietary framework that allows applications to read and write most image file formats, which include one known as WebP.

Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said.

It is best practice for software products to track upstream libraries they depend on in order to pick up security fixes and improvements.”

The representative didn’t explain why the official CVE and Google’s disclosure did not mention the widely used libwebp library or the likelihood that other software was also likely to be vulnerable.


The original article contains 547 words, the summary contains 183 words. Saved 67%. I'm a bot and I'm open source!