Infosec in brief The European Union's Parliament and Council have reached an agreement on the Cyber Resilience Act, setting the long-awaited security regulation on a path to final approval and adoption, along with new rules exempting open source software.
The CRA was proposed by the European Commission in September 2022 and imposes mandatory cyber security requirements for all hardware and software products - from baby monitors to routers, as the EU Commission put it.
Once in force, which will happen 20 days after its adoption by Parliament and the Council, the CRA will require hardware and software makers to meet some intimidating targets.
Included in the rule is a 24-hour disclosure period for any newly-discovered security flaw under active exploitation, five years of security patch support, thorough documentation of all security features, and more.
While better security is all well and good, concerns have been raised over the potential effect the CRA could have on open source software, which is often maintained by few people despite the importance it can often have to larger products.
Open source maintainers may find it hard to meet short deadlines for patches, documentation and disclosure.
Fears over the CRA were voiced as recently as October, when it was apparent that the Commission had largely ignored the open source community as it finalized the Act.
Luckily, the latest version of the CRA appears to address those concerns.
The shortness of today's critical vulnerabilities list isn't to say it hasn't been a busy week on the critical vulnerabilities front - quite the contrary.
We had a data-destroying bug reported in OpenZFS, Google patched six vulnerabilities in Chrome - including one under active exploit - and Apple issued an emergency patch to WebKit for a pair of vulnerabilities already under attack on iPhones, iPads and Macs.
TikTokers defeat Montana's ban on their favorite app.
The law, known as SB 419, passed in May, is unlikely to pass a scrutiny review, the judge found.
The judge's decision was made in response to a lawsuit brought by a group of TikTok users who were quietly being funded by the social network.
Regardless, it appears Montana's legislature was going beyond its authority, Molloy found.
TikTok applauded the move, while Montana's attorney general, the defendant in the TikTokers' case, only wanted to remind everyone that the fight isn't over, and the State still has a chance to appeal.
What a steal: Nearly two million sets of employee data lifted from US dollar stores.
US discount retail chains Dollar Tree and Family Dollar have had nearly two million sets of employee data leaked after a breach at a third-party vendor.
Zeroed-In Technologies, which provides analytics software for HR departments at the two chains, told the Maine attorney general's office of a breach that happened way back in August, but which was only recently reported.
According to a letter sent to affected individuals, names, dates of birth and social security numbers may have been exposed - but Zeroed-In isn't entirely sure.
It's unclear whether Zeroed-In customers aside from the pair of dollar store chains were affected.
This Cyber News was published on go.theregister.com. Publication date: Mon, 04 Dec 2023 06:43:06 +0000