Last Friday the US District Court for the Eastern District of Virginia ruled [PDF] that Fitzpatrick will spend the next 20 years of his life on supervised release.
For the first two years he'll be under home arrest and tracked by a GPS device, and for the first year he's forbidden to use the internet.
The series of nine vulnerabilities are found in EDK II - an open source implementation of UEFI maintained by TianoCore, according to researchers from Quarkslab that discovered the issue.
Dubbed PixieFail, the weaknesses can be exploited through the preboot execution environment specification used for network booting.
According to the researchers, the vulnerabilities are specifically found in the NetworkPkg module included in EDK II, which is used by vendors including Arm, Insyde Software, American Megatrends, Phoenix Technologies and Microsoft.
Machines using EDK II that boot from a network using PXE - and, most crucially, are configured to use IPv6 - are all vulnerable to exploitation from the vulnerabilities.
As has been well established by previous UEFI exploits like BlackLotus and LogoFail - the latter only just discovered in December - such vulnerabilities can be serious, and there's no exception in the case of PixieFail.
The researchers claim unauthenticated remote attackers could use PixieFail to do all the usual things internet miscreants do - like trigger a denial of service, leak information, remotely execute code, poison DNS caches, hijack network sessions and the like.
Proofs of concept are available, but we've been told there's no real-world exploit out there yet.
Critical vulnerabilities: Another Chrome zero-day to patch.
We covered several critical vulnerabilities this week, like a pair of Citrix NetScaler bugs under active exploit and the resurgence of some years-old vulnerabilities being hit by Androxgh0st malware being used to build a botnet.
Lucky for you that leaves little in the way of other critical vulnerabilities to report.
CVSS 9.8 - CVE-2023-35078: It's not a new bug, but this authentication bypass vulnerability in Ivanti Endpoint Manager Mobile is under active exploitation, so be sure you're on a version newer than 11.10.
CVSS n/a - CVE-2024-0519: This Chrome zero day OOB memory access vulnerability in the V8 JavaScript engine has yet to be given a score, but it's being actively exploited, so patch up ASAP. > Who'da thunk: iOS log file an easy way to detect Pegasus infections.
Kaspersky researchers have found a simple solution that - they claim - works consistently to detect Pegasus, Predator and Reign, another similar spyware tool: Log files.
According to Kaspersky researchers, who tested Pegasus for their research but said Predator and Reign use similar filesystem paths, the Pegasus process doesn't shut down cleanly when iOS devices are rebooted, leaving an entry in Shutdown.
Grant money stolen from US government in spearphishing attack.
The US Department of Health and Human Services was reportedly hit by a spearphishing attack last year that allowed cyber criminals to make off with $7.5 million in grant money.
According to Bloomberg's sources, the stolen funds were withdrawn from accounts containing money already allocated to five grant recipients, leaving HHS without money to award to the parties.
Particulars of the projects whose grant money was stolen weren't shared, though Bloomberg said $1.5 million of the pot was intended for high-need communities in the US. The five projects have yet to be funded, Bloomberg's sources claim, and the government has yet to identify the culprits.
This Cyber News was published on go.theregister.com. Publication date: Mon, 22 Jan 2024 02:43:05 +0000