Technology

• Adobe patches a flaw found in two versions of ColdFusion
• It warned users to patch ASAP, since a PoC is available
• The bug can be used to create or overwrite critical

Adobe has fixed a high-severity vulnerability found in two versions of ColdFusion, a rapid development platform for building web applications, APIs, and software.

The vulnerability, tracked as CVE-2024-53961, is described as a path traversal flaw, affecting ColdFusion versions 2021 and 2023.

It was given a severity score of 7.4 (high) and according to CWE, it can be used to create or overwrite critical files used to run code, such as programs, or libraries.

Patch ASAP

“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application,” NIST explains. “This could lead to the disclosure of sensitive information or the manipulation of system data.”

This isn’t theoretical, either. According to BleepingComputer, proof-of-concept (PoC) exploit code is already available.

"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," Adobe said in a security advisory, the publication stressed. The bug was given a "Priority 1" severity rating by the company, as it has "a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform."

Adobe urged users to apply the given patches immediately, preferably within 72 hours. For ColdFusion 2021, that’s Update 18, and for ColdFusion 2023, that’s Update 12.

While a PoC is available, there is no word if the vulnerability is actually being abused in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) doesn’t seem to have added it to its Known Exploited Vulnerabilities (KEV) catalog, which could indicate that the evidence of abuse was not yet found.

However, cybercriminals know that many organizations aren’t very diligent when it comes to patching, and will often rather go for known flaws, instead of looking for zero-days. And with a PoC already available, mounting an attack could be a walk in the park.

Via BleepingComputer

You might also like

• Adobe releases emergency patch for ColdFusion vulnerability
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

• President Biden signs National Defense Authorization Act into law
• The Act makes the creation of a US "Cyber Force" less likely, and no longer curbs the surveillance powers of FISA
• Billions of dollars allocated to help replace Chinese tech following surveillance concerns

The 2025 National Defense Authorization Act (NDAA) has been signed into law by President Biden, outlining the military and Pentagon policies, budgets, and priorities for the coming year.

The bill has weakened the requirement to consult a third-party to assess the feasibility of creating a US Cyber Force, as well as evaluating an ‘alternative organizational model for the cyber forces’ of the military branches.

It also allocates billions to remove and replace Chinese hardware from US networks following concerns over recent security issues and possible surveillance worries.

No FISA fix

Overall, the bill includes $895 billion in defense spending, with $3 billion of that allocated for the replacement of Chinese hardware, following recent hacking campaigns from Chinese group Salt Typhoon targeted US telecoms giants.

These exposed vulnerabilities allowed the Chinese state-sponsored threat actor to lurk in the networks of the internet service provider for months, potentially still being present.

The final draft of the legislation has also scrapped any deadline and nearly all of the language included in earlier drafts, which previously introduced the idea of creating a new, separate uniformed digital service - although the Pentagon lobbied against this.

The defense bill instead focuses on a Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN), which would be responsible for the defense of Pentagon networks worldwide.

The Foreign Intelligence Surveillance Act (FISA) was expected to be reined in after senate provisions were introduced to curb the act’s power, but these provisions were cut from the final house draft of the NDAA, and is reportedly unresolved behind closed doors.

House Republicans blocked the proposal, which would have narrowed the provisions to the surveillance law, known as Section 702 of the FISA. The provision as it stands has a broadened definition of the type of firm that can be forced to assist with surveillance and wire-tapping foreign and US citizens.

Section 702 has been criticized by privacy and civil liberties advocates for forcing US tech devices to become ‘spy machines’ for the US government - with firms like Google or AT&T required to turn over the communications of US or Foreign targets, even without warrants.

Via The Record

You might also like

• Take a look at our pick of the best malware removal software
• Chinese threat actors may have already breached UK critical infrastructure, ministers told
• Check out our pick for best antivirus software

I spent nearly a year with Woosh's smart air filter, which can give you a better idea of when to replace your home's HVAC filter.

• Netflix claims Broadcom's subsidiary VMware is in violation of five patents
• It claims VMware knew it was violating patents for more than a decade
• Netflix is now demanding VMware pays for damages caused

Video streaming behemoth Netflix is suing Broadcom over virtual machine (VM) patents.

According to the lawsuit, filed with a California federal court, Broadcom’s subsidiary VMware is in violation of five different patent rights, including the rights for “424 Patent”, “707 Patent”, “891 Patent”, “893 Patent”, and “122 Patent”.

These cover the various aspects of operating virtual machines. Three discuss CPU usage in virtual machines, and two discuss starting up at least one virtual machine in a physical machine by a load balancer.

Deliberate infringment

“Broadcom and VMware, jointly and severally, have infringed, and continue to infringe, at least Claim 1 of the ’424 Patent, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States products that are covered by at least Claim 1 of the ’424 Patent.

These products include, but are not limited to VMware vSphere Foundation, VMware Cloud Foundation, VMware

Cloud on AWS, Azure VMware Solution, Google Cloud VMware Engine, Oracle Cloud VMware Solution, IBM Cloud for VMware Solutions, Alibaba Cloud VMware Service, as well as any other vSphere-based products and/or services (collectively, the “’424 Accused Products”),” it says in the lawsuit.

Netflix further claims VMware knew about the “424 Patent” since at least early August 2012, “when the ’424 Patent was cited by an examiner at the United States Patent and Trademark Office during a rejection of VMware’s application that ultimately issued as U.S. Patent No. 8,650,564.”

“Broadcom and VMware’s infringement of the ’424 Patent has been and is willful and deliberate,” Netflix concludes in the lawsuit, asking the court to have Broadcom pay for damages, an unspecified amount of money.

Via Reuters

You might also like

• Watch out - that dream job offer could be a malware scam
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

• New MacBook Airs could be next for Apple
• After that it's iPads and an iPhone in March
• iPadOS 18.3 and iOS 18.3 are on the way too

Next year is lining up to be a pretty hectic one for Apple, with all kinds of new product unveilings being predicted by those in the know (including for the iPhone 17) – and we just got a little more information about when some of these launches are happening.

According to the usually reliable Mark Gurman at Bloomberg, the M4 MacBook Air refresh is going to be the first big hardware launch from Apple in 2025. That fits in with the prediction he made back in October.

But how early will we see these sleek new laptops? Earlier than the iPad 11, the iPad Air 7, and the iPhone SE 4, apparently. Those products are expected "in the spring" in the US, which will be in the fall in the southern hemisphere.

Typically for Apple, that means around March time – so while we don't have a fixed launch date for the M4 MacBook Airs, January or February look like good bets. These new models have already been leaked by Apple as well, so a launch appears to be imminent.

Another iPad 11 leak

The iPad 10, launched in 2022 (Image credit: Future)

In a separate leak, the team at MacRumors has discovered that the entry-level iPad 11 will come with iPadOS 18.3 preinstalled – that's according to an unnamed source "with a proven track record for upcoming Apple software updates".

The iPadOS 18.3 update (together with iOS 18.3) is said to be coming "in late January or early February", which would give Apple time to get it set up on new iPads ready for an unveiling sometime in March.

A launch in spring (for the northern hemisphere) is again mentioned here, adding more weight to that particular claim. It's not clear yet if Apple will hold a press event for the launch, or simply issue press releases with the news.

If we're getting a new iPad, a new iPad Air, and the iPhone SE 4, then that seems worth a full event, complete with a polished video showing Apple boss Tim Cook wandering around Apple Park in Cupertino – and we'll let you know as soon as anything is official.

You might also like

• The iPhone SE 4 may get a brand new Apple chip
• These are the best iPads you can buy
• Everything you need to know about the M4 chip

• Two WordPress plugins found carrying 18 security flaws
• Most of them are deemed critical, since they allow RCE, among other things
• All have now been patched, so make sure to upgrade your plugins

Two premium WordPress plugins were found carrying more than a dozen vulnerabilities, some of which were deemed critical.

This is according to WordPress cybersecurity platform Patchstack, who found the issues in the website builder in late March 2024, and reported them to the developers. Since then, all bugs have been mitigated.

The bugs were found in WPLMS and VibeBP plugins.

Updating plugins

WordPress allows for Learning Management Systems (LMS), platforms that allow users to create, manage, and sell online courses directly from their WordPress website. LMS plugins integrate educational features and functionalities with WordPress, enabling instructors or organizations to deliver courses, track learner progress, and engage students effectively.

One of the more popular LMS platforms around is WPLMS, built by a company called VibeThemes. Purchased more than 28,000 times already, it comes with numerous features such as course creation and management, quizzes and assessments, membership and subscription support, and more.

VibeBP, on the other hand, is a WordPress plugin that integrates BuddyPress with WPLMS, enhancing its social learning features. It allows users to create communities by providing options for user profiles, activity streams, private messaging, and notifications. It was also built by VibeThemes.

Patchstack says it found 18 vulnerabilities, most of which were critical in severity.

They allowed remote, unauthenticated attackers to upload arbitrary files, execute code, escalate privileges, and perform SQL injections. In other words, they could use the bugs to take over websites, steal sensitive data, and more. One bug - CVE-2024-56046 - was even given the maximum score, 10/10, since it allows malicious actors to upload arbitrary files without authentication, potentially leading to remote code execution (RCE).

The full list of vulnerabilities, as well as affected versions, can be found on this link.

WPLMS users should make sure their platform is upgraded to version 1.9.9.5.3 or newer, and VibeBP to 1.9.9.7.7 or newer.

As a rule of thumb, site owners should enforce secure file uploads, SQL query sanitation, and role-based access controls, Patchstack said.

Via BleepingComputer

You might also like

• Millions of WordPress sites could be at risk from "one of the most serious" plugin flaws ever found
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

• Security researchers discovered a major database with 3M+ records
• It belongs to Builder.ai, a low code/no code platform
• It contains sensitive information, NDAs, and more

Builder.ai may have unwillingly exposed sensitive information on millions of its users, researchers have claimed.

Jeremiah Fowler, a security researcher known for hunting down non-password protected databases containing sensitive intel, said he discovered an archive with more than 3 million records.

The database belongs to Builder.ai, a British no-code/low-code platform that enables businesses to quickly and affordably create custom software applications without requiring deep technical expertise.

Complexities with dependent systems

Fowler said the database contained 3,077,542 records, totaling 1.29TB in size, including cost proposals, NDA agreements, invoices, tax documents, email correspondence screenshots, internal image files, and much more.

“Among the most concerning files were two documents that indicated access and configuration details of two separate cloud storage databases that also included secret access keys,” Fowler said on Website Planet.

“It is hypothetically possible that those access keys could have revealed additional potentially sensitive data if they were to fall into the wrong hands.”

In total, there were 337,434 invoices and 32,810 files labeled Master service agreements. The latter also contained NDA agreements with names, emails, IP addresses, project cost summaries, and other project details.

Fowler disclosed his findings to Builder.ai, however it couldn’t lock the database down even a month later, citing “complexities with dependent systems” - and it isn't known if the database is still open and accessible.

Misconfigured databases remain one of the number one reasons for data leaks on the internet. Many researchers are warning that organizations don’t understand the shared security model present in most cloud service providers, and that they end up generating enormous databases, filled with valuable information, which are open and accessible to all.

Should cybercriminals find these archives, they could use the information there in convincing phishing attacks, identity theft, and possibly even wire fraud.

You might also like

• Watch out - that dream job offer could be a malware scam
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

Joy to the World is the latest holiday romp for the Doctor.

Natcha Wongchanglaw’s Couchsurfing photos explore how travel turns transient encounters into meaningful—and vulnerable—moments.

Don't treat your data breach letter like junk mail. Do this instead.

Need to turn up the music at your holiday celebrations? Get those cozy holiday tunes going at your holiday get-together with our favorite boomboxes.

• GIMP 3.0 revamps the interface for high-resolution screens
• Keeps projects compatible with older versions
• Extensive testing ensures a bug-free GIMP 3.0

After two decades of anticipation, the latest version of popular image editor GIMP (GNU Image Manipulation Program) is finally set to be released soon.

As a popular, free, and open source Photoshop alternative, GIMP has been a reliable tool for users since its inception in 1995.

The transition from GIMP 2.x to 3.0 marks a major milestone in the software’s long history, bringing modernized features and improvements while maintaining the familiar experience users have come to expect.

GIMP 3.0 release

The leap from GIMP 2.x to GIMP 3.0 has taken far longer than users initially expected, largely due to the complexity of maintaining an open source project with contributions from a large global community of developers.

GIMP has remained on version 2.x for over 20 years, with incremental updates introducing small yet important improvements over time.

Starting with the release of GIMP 2.0 in 2004, subsequent versions like 2.4X (2007), 2.6X (2008), and 2.8X (2012) kept the software relevant in a changing digital landscape. The most recent 2.10X update, released in 2018, has been in use for the past six years.

GIMP 3.0 is now expected to be released in late December 2024 or early January 2025.

Despite the long wait, the release of GIMP 3.0 is expected to deliver a host of modern features that will make the software more user-friendly and capable of handling the needs of today’s graphic designers.

One of the most noticeable changes in GIMP 3.0 is the new user interface. While the layout remains familiar to long-time users, the design has been smoothed out and optimized for high-resolution displays. This is a critical improvement, as older versions of GIMP often struggled with scaling issues on larger, modern screens. In GIMP 3.0, many icons have been converted to SVG (Scalable Vector Graphics), ensuring that they retain their quality no matter the display resolution.

Another major focus of the GIMP 3.0 update is compatibility. The GIMP development team has worked extensively to ensure that projects created in earlier versions of the software will remain usable in the new release. This includes stabilizing the public GIMP API (Application Programming Interface), which will make it easier to port plugins and scripts from GIMP 2.10 to GIMP 3.0.

As GIMP has grown over the years, users have come to rely on a wide array of third-party plugins, so this backward compatibility will be essential for a smooth transition.

As with any major software update, GIMP 3.0 is undergoing extensive testing. The release candidate has been made available to the community for feedback, allowing users to report any bugs or issues they encounter.

According to the development team, the speed of the final release depends on the nature of the bugs found. Small, easily fixable bugs could lead to a swift final release, while more significant issues could prompt a second release candidate for further testing.

Via Tom's Hardware

You might also like

• Take a look at the best photo editors around today
• We've rounded up the best graphic design software
• Workers are being punished for ignoring AI advice – even when they know better

Thanks to a bunch of game-makers who were still teens when Toontown Online disappeared, the beloved online world lives on as Toontown Rewritten.

Commentary: Despite our best intentions, unexpected setbacks can make us lean on credit cards. Here's how to course-correct quickly.

• Lexmark acquisition will strengthen Xerox as it seeks to improve footprint in enterprise market
• Lexmark was IBM's former printer arm and, like its PCs and servers, was sold to Chinese investors
• Xerox faces huge competition from HP, Epson and Canon

Xerox has announced an agreement to acquire Lexmark in a deal valued at $1.5 billion which will create a new global printer giant.

The company says the deal will allow Xerox to expand its print portfolio, as well as broaden its global footprint and service offerings.

“Our acquisition of Lexmark will bring together two industry-leading companies with shared values, complementary strengths, and a deep commitment to advancing the print industry to create one stronger organization,” said Steve Bandrowczak, CEO at Xerox. “By combining our capabilities, we will be better positioned to drive long-term profitable growth and serve our clients, furthering our Reinvention."

Strengthening Xerox’s position

Lexmark, founded in 1991 as a spinoff from IBM’s printer division, has been offering imaging solutions and technologies like printers and multifunction devices for more than three decades. Still headquartered in Lexington, Kentucky, the company was acquired by Chinese investors in 2016 but is now preparing to welcome a new owner.

The integration of Lexmark’s imaging technologies with Xerox’s ConnectKey technology and advanced print and digital services is intended to create a comprehensive product portfolio. This move will also strengthen Xerox’s position in the A4 color market and increase its presence in regions like Asia-Pacific.

Together, Lexmark and Xerox hold a top five global share in entry, mid, and production print markets and play a major role in the managed print services industry.

The combined organization will serve over 200,000 clients across 170 countries, supported by 125 manufacturing and distribution facilities in 16 countries, but it faces tough competition from established players like HP, Epson and Canon.

“Lexmark has a proud history of serving our customers with world-class technology, solutions and services, and we are excited to join Xerox and expand our reach with shared talent and a stronger portfolio of offerings,” said Allen Waugerman, Lexmark president and chief executive officer. “Lexmark and Xerox are two great companies that together will be even greater.”

Subject to regulatory and shareholder approvals, the deal is expected to close in the second half of 2025. Until then, both companies will continue to operate independently.

You might also like

• We've rounded up the best photo printers around today
• And here are the best home printers on offer
• HP CEO just let slip a major issue with its printing strategy - and it's going to cost you

• Max renews Creature Commandos for a second season
• The show marks the first project in the new DC Universe
• Creature Commandos tells the story of a secret team of imprisoned monsters that take on deadly missions

Creature Commandos are going on another mission, as the hit adult animated series has been renewed for a second season at Max.

The best Max show is the first project to be released as part of James Gunn and Peter Safran's new-look DC Cinematic Universe (DCU) and debuted to critical acclaim on December 5. With a 95% score from the critics on Rotten Tomatoes, at the time of writing, it's no surprise that Creature Commandos has been picked up for another season halfway through its seven-episode run.

James Gunn and Peter Safran, Co-Chairs, DC Studios said in a statement: “We're thrilled to team up with Max for another season of Creature Commandos mayhem. From our spectacular first season of Peacemaker to the astonishing run of The Penguin to the record-breaking launch of Creature Commandos, Max has consistently delivered above industry expectations and beyond our wildest imaginings. Thank you, Casey, Sarah, Pia, Sono and the entire team for your tremendous support of DC Studios. We are proud to call Max home.”

What is Creature Commandos about?

Creature Commandos follows "a secret team of incarcerated monsters recruited for missions deemed too dangerous for humans. When all else fails… they’re your last, worst option", reads the plotline.

The voice cast includes Steve Agee, Maria Bakalova, Anya Chalotra , Zoe Chao, Frank Grillo, Sean Gunn, David Harbour, Alan Tudyk, Indira Varma, and Viola Davis, who reprises her role as Amanda Waller from The Suicide Squad and Peacemaker.

In our spoiler-light review of Creature Commandos, TechRadar's Tom Power reveals that the first season "gets DCU Chapter One, aka 'Gods and Monsters', off to a monstrously good start". Fancy more monster madness? There's plenty of in-depth coverage and exclusive stories to check out too in our Creature Commandos guide.

Peter Girardi, executive vice president of alternative programming at Warner Bros. Animation shared: “Thanks to the brilliant imagination of James and the talent of our amazing artists, DC fans fell in love with this new family of heroes. We are excited to continue this wild ride with our partners at Max. You want more monsters, you’re getting more monsters!”

You might also like

• Creature Commandos stars open up on how episode 4's two huge plot twists will impact the DCU TV show's overall story: 'it's an interesting reveal'
• The White Lotus season 3 trailer has me hooked already and reveals the Max show will return in February 2025
• 3 new A24 movies coming to Max in January that I can’t wait to watch

Suddenly, every possible dating and hookup app for every possible scenario exists—AI girlfriends, kink-positive polyamory, gay cruising. Why does it feel like none of them are the answer?

• Security researchers found two packages on PyPI, showing malicious intent
• The packages grant the attackers access to systems and sensitive data
• The researchers warn developers to exercise caution when using third-party packages

Experts have warned PyPI continues to be abused after researchers discovered more malicious packages hiding on the platform.

A report from Fortinet’s FortiGuard Labs discovered two packages designed to steal people’s login credentials, grant unauthorized access to devices, and more.

The researchers says they observed Zebo-0.1.0, and Cometlogger-0.1, two packages that masquerade as legitimate code, but hide harmful features behind complex logic and obfuscation.

Smuggling malware

“The Zebo-0.1.0 script is a typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control,” the researchers explained. “It uses libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent.”

The Cometlogger-0.1 script, on the other hand, comes with a different set of malicious behavior, such as dynamic file manipulation, webhook injection, infostealing, and anti-VM checks.

Both packages are described as sophisticated, persistent, and dangerous.

Python is one of the world’s most popular programming languages, and by nature, PyPI is one of the world’s most popular open source code repositories. Developers build code blocks and share with their peers via the platform. Other developers can then use those blocks on their projects, cutting down on time necessary to code out different features.

This gives cybercriminals an opportunity to smuggle malicious code, and infect countless projects through the software supply chain. Sometimes, they would break into legitimate developer accounts and poison their solutions and other times they would typosquat popular solutions in hopes people would mistakenly download the malicious package.

Open-source is arguably more secure, since the code is susceptible to scrutiny from the entire community, but researchers still advise caution, and always verify third-party scripts and executables before running.

Furthermore, businesses should also keep their networks behind firewalls, and set up intrusion detection systems to safeguard their infrastructure.

You might also like

• AWS keys stolen by malicious PyPI package with thousands of downloads
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

• Sega America and Europe CEO Shuji Utsumi has discussed the company's philosophy in a recent interview
• He stated that Sega "needs to be innovative" to remain relevant
• He also confirmed that there will not be any further mini retro consoles

In some bad news for retro game enjoyers, Sega America and Europe CEO Shuji Utsumi has suggested that the company will not be making any more mini retro consoles.

The words come from a recent interview with The Guardian in which Utsumi discusses the company’s current philosophy. “Gamers loved Sega because we showed a new style, attitude and lifestyle to gamers,” he said. “I want to bring that feeling back. But we are not just a nostalgic company, we need to be innovative.”

This approach seems evident in Sega’s recent output, which has included a number of successful new titles such as Metaphor: ReFantazio in addition to new entries in long-running fan-favorite franchises like Super Monkey Ball Banana Rumble. The company has also seen success in its multimedia efforts, with the new Sonic the Hedgehog 3 film already performing well at the box office.

When asked whether the company would pursue any new mini consoles, presumably to follow up the popular Sega Genesis (or Sega Mega Drive for those outside of the US) Mini, he simply replied: “I’m not going for the mini direction. It’s not me. I want to embrace modern gamers”.

The Guardian also states that Sega then clarified that this meant there are currently no plans for any more mini consoles, which is going to be a bit of disappointment for anyone looking forward to a potential Sega Dreamcast Mini or Sega Saturn Mini.

Even so, Utsumi rounds off the interview by reiterating his forward-facing point of view. “We are not a retro company,” he said. “We really appreciate our legacy, we value it, but at the same time, we want to deliver something new – otherwise we’ll become history.”

You might also like...

• I've quizzed the TechRadar Gaming team and here's what we're playing over the Christmas break
• Secretlab’s Warhammer 40,000 Ultramarine Titan Evo gaming chair is one of the best examples of limited edition gear I’ve seen, here’s why
• Fallout 76 developer on new Gleaming Depths raid and designing the biggest enemy encounter in series history

CNET tested and found the best Instant Pots to make rice, slow cook meat and more.