GitHub still vulnerable to repojacking
Just when GitHub thought their repojacking troubles were over, a new critical vulnerability could have exposed over 4000 repos. Remember - if you must change your organization name, always ensure you own the previous name (even as a placeholder) so that malicious actors can’t poison your software supply chain.
Microsoft releases new patches, also leaks 38TB of private data.
Microsoft announced 62 bug fixes for Patch Tuesday, including two zero-day vulnerabilities that have been previously exploited in the wild. Six days later, Microsoft AI researchers accidentally exposed 38TB of additional private data when publishing a bucket of open-source training data to their GitHub. The culprit? A misconfigured access token that allowed full control (not read-only) access.
The additional files exposed included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. Here’s hoping those office memes were saved somewhere secure.
More rotten Apple(s)
Apple geeks are smug no longer after the company released emergency updates to fix 3 new zero-days that have already been exploited. 16 zero-days have been reported this year, making a strong case for auto-updates being left on.
Not all leaks are cyberattacks
Toyota learned a hard lesson about security this week: sometimes the call really is coming from inside the house. A major data outage caused production to shut down in over a dozen factories for 24 hours. The culprit this time was server maintenance which replicated an issue in backup servers, causing production to cease. “These are multi-billion-dollar companies. You'd think they'd have backups all over the place.”
Toyota, get in touch– perhaps we can help.