• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

350K Open-Source Projects At Risk of Supply Chain Vulnerability

You are here: Home / General Cyber Security News / 350K Open-Source Projects At Risk of Supply Chain Vulnerability
September 21, 2022

Trellix has introduced the establishment of the Trellix State-of-the-art Exploration Middle, a facility and project aimed at creating real–time intelligence and risk indicators to enable customers detect, react and remediate the most up-to-date cybersecurity threats.

“The danger landscape is scaling in sophistication and opportunity for influence,” stated Trellix chief products officer Aparna Rayasam. “We do this work to make our electronic and physical worlds safer for all people. With adversaries strategically investing in expertise and technical know–how, the market has a duty to review the most combative actors and their methods to innovate at a more quickly level.” 

Upon its institution, the Trellix State-of-the-art Investigation Middle also published its exploration into CVE–2007–4559, a vulnerability estimated to be current in approximately 350,000 open–source initiatives and various closed–source jobs.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The flaw resides in the Python tarfile module, which is instantly installed in any job using the Python programming language. It truly is normally located in frameworks developed by Netflix, AWS, Intel, Fb and Google, as effectively as in apps used for equipment discovering, automation and docker containerization. 

According to Trellix, the vulnerability can be exploited by uploading a destructive file produced with a couple strains of code that allows attackers to then complete arbitrary code execution.

“When we converse about provide chain threats, we ordinarily refer to cyber–attacks like the SolarWinds incident, nonetheless building on top of weak code–foundations can have an equally extreme effects,” spelled out Christiaan Beek, head of adversarial and vulnerability study at Trellix. 

“This vulnerability’s pervasiveness is furthered by field tutorials and on the net supplies propagating its incorrect use. It is critical for builders to be educated on all layers of the technology stack to thoroughly reduce the reintroduction of past attack surfaces.” 

Further, the business said whilst open–source developer instruments like Python are needed to progress computing and innovation, they intensely count on market collaboration for security from known vulnerabilities.

To this conclusion, Trellix said it is functioning to push code by using GitHub pull request to defend open–source initiatives from the vulnerability.

“A absolutely free device for developers to verify if their programs are susceptible is offered on Trellix Advanced Research Center’s GitHub,” the company wrote.

This is not the to start with time Python–based programs have arrive under scrutiny not long ago. Previously this month, a joint advisory by SentinelLabs and Checkmarx joined a threat actor identified as ‘JuiceLedger’ to the first acknowledged phishing campaign focusing on Python Package deal Index (PyPI) people.


Some elements of this article are sourced from:
www.infosecurity-magazine.com

Previous Post: «Cyber Security News Multiple Vulnerabilities Discovered in Dataprobe’s iBoot-PDUs
Next Post: Microsoft Upgrades Windows 11 With New Security Features Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Cybercriminals Using New ASMCrypt Malware Loader Flying Under the Radar
  • Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
  • Post-Quantum Cryptography: Finally Real in Consumer Apps?
  • Microsoft’s AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites
  • Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server
  • Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts
  • GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions
  • China’s BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
  • The Dark Side of Browser Isolation – and the Next Generation Browser Security Technologies
  • China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies

Copyright © TheCyberSecurity.News, All Rights Reserved.