Latest news with #vulnerabilities
Yahoo
a day ago
- Business
- Yahoo
OPINION: Why 'least privilege' is Canada's best defence
Microsoft just hit a record high of 1,360 reported vulnerabilities in its software last year. While that number might sound scary, it's part of a trend we've seen for years. The real problem lies in what's behind the numbers and what they mean for Canadian businesses trying to stay secure in a fast-moving world. As BeyondTrust's latest Microsoft Vulnerabilities Report reveals, one type of security risk is especially alarming: elevation of privilege (EoP). This category made up 40 per cent of Microsoft's total reported vulnerabilities in 2024. That's not just a statistic; it's a wake-up call. What's elevation of privilege and why should Canadians care? Imagine someone finds a way to break into your office using a stolen key card. That's what an elevation of privilege attack is like in the digital world. Once inside, hackers can quietly move through your systems, taking control of sensitive data or expanding their access without being noticed. These attacks often begin with compromised credentials, sometimes even from non-human identities like service accounts. The problem snowballs from there. We've seen it over and over in major data breaches: attackers find one weak point, then jump from system to system. And Microsoft isn't the only target. If 40 per cent of their vulnerabilities are EoP-related, imagine how many other software platforms that Canadian companies rely on could also be vulnerable. The rise of security feature bypass attacks Another disturbing trend is the spike in security feature bypass vulnerabilities, up 60 per cent since 2020. These are loopholes hackers use to get around built-in protections in tools like Microsoft Office and Windows. Think of these bypasses as digital 'unlocked doors.' If an attacker finds one, it doesn't matter how strong your locks are, they're walking right in. Tools like EDR (endpoint detection and response) are meant to stop threats, but attackers are finding ways around them too. We've seen the rise of tools like EDR Killer that are designed specifically to sneak past these defences. Why Canadian companies can't rely on just one layer of security Some businesses still make the mistake of thinking one product or platform will keep them safe. But cybersecurity isn't about one silver bullet. It's about layered defences, also known as 'defence in depth.' For example, if a patch causes problems or breaks other tools, companies might delay applying it. But that delay gives attackers a window of opportunity. The better approach? Have multiple layers of protection in place, especially for front-line systems and high-risk assets. Microsoft Edge: The new problem child? One surprise in this year's report was the jump in Microsoft Edge vulnerabilities. Critical issues rose from 1 to 9 and total vulnerabilities increased from 249 to 292. Has Microsoft shifted its focus too much toward Azure and Dynamics 365? It's a question worth asking, especially when everyday tools like browsers are often the first entry point for cyberattacks. AI brings new benefits and new risks Artificial Intelligence (AI) is transforming how businesses operate, but it's also opening the door to new threats. Microsoft Copilot Studio and Azure Health Bot, for instance, were flagged for AI-related vulnerabilities in this year's report. AI is already being used by threat actors to automate attacks, identify weaknesses faster and even write malicious code. We haven't yet seen a large-scale attack where an AI or large language model (LLM) becomes the main infection point, but that day is coming. The biggest question on the horizon: can we trust the output from AI tools? What if the answers, code or insights we get from AI are secretly manipulated by a hacker? Canadian companies need to think about how to secure not just their AI tools, but also the data and systems that feed them. AI security can't be an afterthought; it must be built into every layer of your defence strategy. The power of 'least privilege' in a 'zero-trust' world One of the most effective ways to reduce risk is by applying the principle of 'least privilege.' It's not a new idea, but it's more important than ever. 'Least privilege' means giving every user—human or machine—only the access they absolutely need to do their job. Nothing more. If someone doesn't need admin rights, don't give it to them. If a service account only needs access to one system, don't let it roam freely. This approach limits the damage if (or when) something goes wrong. It's also a key part of a 'zero-trust strategy,' which assumes no one and nothing should be trusted automatically, even if they're already 'inside' your network. In fact, many organizations confuse 'zero trust' with 'least privilege.' The difference is that 'zero trust' is the overall strategy, and 'least privilege' is a tactical way to enforce it. A practical step Canadian companies can take right now? Audit your users and systems. Who has access to what and why? You might be shocked by how many people or services have more access than they actually need. Identities are the new perimeter Cybersecurity used to be about building firewalls around a company's data centre. But in today's world of cloud apps, hybrid work and global supply chains, identity is the new perimeter. Attackers are no longer just looking for software flaws. They're targeting people, especially those with access and privileges. That includes your employees, partners, contractors and even automated systems. That's why privilege access management (PAM) and identity-first security strategies are so critical for Canadian businesses. These approaches don't just monitor threats; they help stop them at the source by locking down who can do what, where and when. The bottom line going forward Cybersecurity isn't about being perfect; it's about being proactive. You can have 99.9 per cent of your environment locked down, but if there's a .01 per cent vulnerability, that's all an attacker needs. Canadian organizations need to shift their mindset from reactive to proactive. That means applying patches smartly, layering defences, adopting AI cautiously and putting 'least privilege' at the heart of your security program. Because when it comes to protecting your business, every identity and every privilege matters. Dan Deganutti is the senior vice president and country manager for Canada at BeyondTrust, where he leads the company's Canadian go to market (GTM) operations and fosters relationships with clients and business partners. This section is powered by Revenue Dynamix. Revenue Dynamix provides innovative marketing solutions designed to help IT professionals and businesses thrive in the Canadian market, offering insights and strategies that drive growth and success across the enterprise IT spectrum. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Forbes
2 days ago
- Forbes
Google Chrome Warning — Windows, Android, Mac And Linux Users Act Now
Update Chrome now. Google users are accustomed to being urged to update now, which is hardly surprising, as its products and services are a magnet for cybercriminals due to the extensive user footprint they enjoy. Google has advised users to replace all Gmail passwords and update to a passkey instead, following numerous account takeover attacks, Google Messages is getting a critical security update, and then there's Chrome, of course. Hot on the heels of a June 10 urgent Google Chrome browser security update, just a week later, the technology behemoth has confirmed yet another security scare that requires users of the world's most popular web browser across all platforms with the exception of iOS to update now. Google has now confirmed two new security vulnerabilities that impact users of Chrome across the Android, Linux, Mac and Windows platforms. The vulnerabilities, both given a high-severity rating and earning four-figure bounty rewards for the researchers who discovered and disclosed them, could enable a successful attacker to execute arbitrary code on your device with all the consequences that can bring. It is for this reason that it's vital you don't wait for the update to reach your browser in the 'coming days and weeks,' as Google noted in its June 17 confirmation, but rather kickstart that process now and ensure the security patches have been activated and are protecting your system. The two vulnerabilities are: CVE-2025-6191: An integer overflow security vulnerability in Chrome's V8. JavaScript rendering engine. CVE-2025-6192: A use-after-free security vulnerability in Chrome's Profiler function. The Google Chrome update process actually happens automatically, but, as Google has noted, it can take some days to reach your browser. When it does, you will see a notification when the update to version 137.0.7151.119/.120. This alone does not mean that you are protected; you need to activate the update in order for it to do that. Err on the side of caution and kickstart the updating process so you can be sure your browser and the data it can access are appropriately protected immediately. Kickstart your Google Chrome update now. Head for the Help menu and select About Google Chrome. This will check for and download the update, and then all you have to do is activate it for instant security from these vulnerabilities. Don't worry, your tabs will reopen as well, so you won't lose them. So, what are you waiting for? Android users simply need to update the Chrome app. Relaunch Google Chrome to activate security updates.
Forbes
3 days ago
- Forbes
Google Chrome Warning—Do Not Ignore 7 Day Update Deadline
New Chrome warning for 2 billion users. New warnings have been issued for Chrome's 3 billion users, emphasizing the need to keep browsers updated at all times. Google has just issued a new update, which fixes two high-severity vulnerabilities and should be installed right away. More critically, an ongoing update mandate deadline in now just 7 days away. America's cyber defense agency warns Chrome 'contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.' CISA says update before June 26 or stop using Chrome. The formal mandate applies just to federal employees, but CISA operates 'for the benefit of the cybersecurity community and network defenders — and to help every organization better manage vulnerabilities and keep pace with threat activity.' That means all organizations should take note of this deadline and adhere if possible. That should be evident anyway, but a new warning has just detailed exploitation of a Google Chrome zero-day disclosed earlier this year. Kaspersky discovered 'a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web browser.' Now, Positive Technologies says its Threat Intelligence Department 'analyzed an attack that exploited [this] zero-day vulnerability (sandbox escape)' dating back to 2024. As I warned when CVE-2025-2783 was first disclosed, Google quickly released an emergency update and then CISA issued a 21-day update mandate. The current CISA update mandate is for CVE-2025-5419, which is also an 'out-of-bounds read and write in V8,' a similar memory issue to the integer overflow and use after free vulnerabilities patched this week, albeit those do not have known exploits as yet. We're two weeks into CISA's mandate, and so this is the period of maximum risk. Ensure your browsers are updated — which means restarting when it downloads. While home users should adhere to CISA warnings, it's more critical for enterprises likely to come under attack from sophisticated phishing campaigns exploiting these vulnerabilities. Remember, once the flaw is made public, it's a race against time for attackers to use it or lose it when browsers are patched. Do that right away.
The Sun
09-06-2025
- The Sun
I'm the famous Peru Two drug mule – this is my warning to Brit tourists… and how gangs know EXACTLY who to target
PERU Two drug mule Michaella McCollum has warned Brit tourists about how trafficking gangs lure young girls into their criminal operations. The infamous drug trafficker served three years behind bars in 2013 alongside Melissa Reid after they were handpicked to smuggle £1.5million worth cocaine into Peru. 8 8 Since being freed from a hellhole jail in Lima, McCollum transformed her life and is now a mum and public speaker. Part of her work includes exposing how foreign drug operations try and recruit British mules. The 31-year-old appeared on Good Morning Britain this morning to speak on the increasing danger of Brits being preyed upon abroad. It comes after a spate of young women being arrested on trafficking charges including Bella May Culley, 18, and Charlotte May Lee, 21. McCollum told Susanna Reid that people are often picked by drug chiefs specifically due to how vulnerable they appear. She explained: "That's what they do these organisations, they have people that are pickers and their job is to pick people to become mules. "They'll target vulnerabilities which might be age because at 19 or 20 you're incredibly naive, you're easy to manipulate. "Then women as well as obviously women tend to be groomed and coerced in situations a lot more. "Then whether you have a drug addiction as that could also be a vulnerability." McCollum was aged 19 at the time of her first being recruited with her Peru Two partner Reid being only 20. She has also been open about her drug habits around the time of her arrest as she believes this contributed to her recruitment. Bella Culley - the teen arrested in Georgia last month - was seen smoking in videos shared to her social media in the weeks before she was stopped at the border and detained. Michaella also revealed that the drug kingpins ordering young women to become traffickers are masters at manipulation. She says that when she was first coerced into taking a suitcase of cocaine across the border her bosses convinced her that everything would be okay. Michaella was made to feel like a "little girl" when she questioned the dangers of smuggling, she said. Her concerns were always met with simple solutions, she added. She recalled once asking about how they would get the drugs through the airport before being told the airport staff is in cahoots with the operations being carried out and allow them. By the time she realised the answers were a lie, Michaelle said she was already in handcuffs. 8 8 8 She continued: "You have to understand that the level of manipulation that goes on behind it as it's not just overnight, it can be weeks of manipulation. "They ended up making me believe that this was totally fine. I was being dramatic, I was being naive to question it. "So I was so scared to say no and men know they can manipulate women to do things and I was so scared to just say no." Both Peru Two mules became friends when holidaying in Ibiza in August 2013 and were soon coerced into cocaine trafficking. But in October, they were arrested as they stepped off a lane in Lima, Peru. McCollum and Reid were convicted of drug smuggling and sentenced to six years and eight months in a dismal Ancon 2 prison. At the time, the pair's horror trip led them to becoming household names as they both admitted to being used by the gangs. In recent weeks, a string of British women have faced similar worrying experiences after being recruited by foreign gangs. A couple claiming to be tourists from Thailand were busted with more than 33kg of cannabis in their suitcases at a Spanish airport in May. Why Brit backpackers are prime targets, Thai cop reveals By Patrick Harrington, Foreign News Reporter Police Lieutenant Colonel Arun Musikim, Deputy Inspector of the Surat Thani province police force, said: 'Cases involving British nationals smuggling cannabis have been around for a while. 'There is a lot of cannabis grown on Thailand's islands in the south because the climate is suitable and it is legal. A lot of gangs are attracted to this. 'There are now various smuggling methods that we have seen. Some carry it themselves, some hire backpackers, and some send it via mail. 'This year, there have been many cases we have intercepted. Most involve British and Malaysian nationals. 'It's easy for British citizens to travel as they can enter Thailand and return to the UK without needing a visa. 'Most of the smugglers are people hired to carry the cannabis, similar to how tourists might smuggle tax-free goods. 'They're usually unemployed individuals from the UK. The gangs offer them flights, pocket money and hotel stays, just to come and travel and take a bag back home with them. 'These people often have poor social standing at home and are looking for ways to earn quick money. They find them through friends or on social media. 'Many will go to festivals or parties while they are here, just like they are having a normal trip abroad. 'They are told that it is easy and they will not be caught. Then the amount the organisers can sell the cannabis for in the UK is much higher than it costs in Thailand. 'Police suspect that there are multiple employers and groups receiving the drugs on the other end. The cannabis then enters the UK market. 'We are being vigilant to ensure there are no routes out of the country.' A British OnlyFans model was also caught allegedly smuggling nearly £200,000 worth of Thai cannabis into Spain. But the two largest and most concerning cases covered Bella and Charlotte. Bella sparked a massive international search operation in early May after she was reported missing while holidaying in Thailand. However, it was later revealed that the teen, from Billingham, County Durham, had been arrested 4,000 miles away on drug offences in Georgia. She was allegedly carrying 30 pounds (14kg) of cannabis into the ex-Soviet nation. Around the same time, 21-year-old Charlotte Lee May, from Coulsdon, south London, was also arrested in the Sri Lankan capital Colombo after police discovered 46 kg of 'Kush' - a synthetic strain of cannabis - in her suitcase. The former flight attendant is now facing up to 25 years in prison if convicted. 8 8
Forbes
28-05-2025
- Business
- Forbes
Google's New Chrome Update—Do Not Ignore June 5 Deadline
Why you need to update Chrome now NurPhoto via Getty Images Google has just updated Chrome again, warning that two high-severity vulnerabilities put PCs at risk. The 'use after free' and 'out of bounds' memory issues are typical for the browser, and while there are no attack warnings this time, these are the types of flaws often chained to other exploits to enable attacks. Details are scarce, as Google says 'access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.' There are 11 fixes in total with the release of version 137.0.7151.55/56. The new high- and medium-severity fixes are as follows: Earlier this month, Google warned that Chrome had been actively exploited and issued an urgent fix for CVE-2025-4664. The company's confirmation 'that an exploit exists in the wild' followed a public disclosure on X from @slonser_ that a query parameter takeover could exploit sensitive data in a string which 'might lead to an Account Takeover' if the query parameter is stolen. Given attacks in the wild, America's cyber defense agency issued a mandatory warning for federal staff to update or stop using browsers by June 5. While that update instruction isn't mandatory for other users, you should follow suit and update by June 5. This vulnerability was openly disclosed from the get-go and is now in the public domain. That leaves browsers at risk until updates are applied. CISA's remit is 'to help [all organizations] As Cybersecurity News warns 'the vulnerability poses significant risks, including unauthorized data leakage across web origins… Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.' Remember, you need to restart your browser once the update has downloaded. As long as you have the current version, all past fixes will be applied and you will be protected.
