The vulnerability lies in the way HTTP/2 implementations handle CONTINUATION frames, which are used to transmit header blocks larger than the maximum frame size. Attackers exploit this weakness by sending an excessive number of CONTINUATION frames within a single HTTP/2 stream. This flood of frames overwhelms the server's capacity to process them efficiently.

Securing custom applications in a sea of vulnerabilities is daunting. To make the task even more challenging, the threat to applications continues to grow: 8 out of the top 10 data breaches last year were related to application attack surfaces.1 This blog details two effective strategies for identifying vulnerabilities in custom software applications so they can be quickly addressed.

A week ago, on March 29th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that two versions of xz Utils, were found to have been compromised. The xz Utils code had been tampered with to include a malicious “backdoor” that would ultimately give attackers the same level of control over affected systems as authorized administrators.

Zero-day vulnerabilities are the surprise no developer wants to get. Because these security flaws are unknown to developers, they have zero days to prepare or mitigate the vulnerability before an exploit can occur. 62% of vulnerabilities were first exploited as zero-day vulnerabilities, so they are far more prevalent than we think. Even Google Chrome can attest to that after discovering a series of zero-day vulnerabilities that left its billions of users at risk in 2023.

The Common Vulnerability Scoring System (CVSS) is used to evaluate and communicate the technical severity of software, hardware and firmware vulnerabilities. While CVSS has been around for nearly 2 decades and now stands as an industry standard tool for scoring the severity of a vulnerability, the framework still has its limitations. To mitigate some of these challenges and improve the efficacy of the system, an updated version of CVSS was released in November 2023.

Google has issued a security advisory to owners of its Android Pixel smartphones, warning that it has discovered someone has been targeting some devices to bypass their built-in security. What makes the reported attacks particularly interesting is that traditional cybercriminals may not be behind them, but rather "forensic companies" exploiting two vulnerabilities to extract information and prevent remote wiping.

A look at the recently discovered backdoor hiding in the open source XZ Utils compression service.

A contributor to the liblzma library (a compression library that is used by the OpenSSH project, among many others) submitted malicious code that included an obfuscated backdoor. Since the maintainers had no reason to suspect foul play, they accepted and merged the contribution. The malicious code made it into the compression library release, and later on to the OpenSSH server, which relies on the library in question.