10.06.2025

CSO Online 09.06.2025 17:43

Dutch and Iranian security researchers have created an automated genAI tool that can scan huge open source repositories and patch vulnerable code that could compromise applications.

Tested by scanning GitHub for a particular path traversal vulnerability in Node.js projects that’s been around since 2010, the tool identified 1,756 vulnerable projects, some described as “very influential,” and led to 63 projects being patched so far.

The tool opens the possibility for genAI platforms like ChatGPT to automatically create and distribute patches in code repositories, dramatically increasing the security of open source applications.

But the research, described in a recently published paper, also points to a serious limitation in the use of AI that will need to be fixed for this solution to be effective. While automated patching by a large language model (LLM) dramatically improves scalability, the patch also might introduce other bugs.

Schneier on Security 09.06.2025 12:54
Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught.
The details are interesting, and worth reading in detail:
>Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities…

CSO Online 09.06.2025 11:30

Companies are having a hard time keeping their cloud infrastructure secure and the race to adopt and integrate AI services into their apps and workflows is making things worse.

Having analyzed billions of production assets on AWS, Azure, Google Cloud, Oracle Cloud and Alibaba Cloud this year, researchers from Orca Security warn that cloud assets have on average 115 vulnerabilities and over half of organizations have at least one such vulnerability that’s over 20 years old. This is an alarming trend considering that attackers, including state-backed cyberespionage groups, have increasingly targeted cloud infrastructure in recent years.

A third of analyzed cloud assets fall into Orca’s neglected-asset category — resources that use operating systems that are no longer supported and haven’t been patched in over 180 days. Almost all companies have at least one neglected asset, usually virtual machines.

Organizations are also feeling the pressure to adopt AI so they don’t get left behind but this rushed approach often comes at the cost of security. According to Orca’s findings, 62% of organizations have at least one vulnerable AI-related package in their cloud environments and many of these AI flaws are medium severity and above, allowing for attacks such as data leakage or remote code execution.

Vulnerability exploitation on the rise

According to Verizon’s 2025 Data Breach Investigation Report (DBIR), analysis of 22,000 security incidents, including 12,195 confirmed data breaches in 139 countries, found vulnerability exploitation to be the second-most prevalent initial access vector, overtaking phishing for the first time and after credential abuse.

Coupled with the fact that many organizations now employ hybrid environments that combine local and cloud assets, vulnerabilities in either setting are highly attractive targets for attackers.

Orca found that over two-thirds of organizations have at least one cloud asset that is public-facing and enables lateral movement. Moreover, 55% of organizations have assets deployed across multiple cloud providers.

Web services are the most vulnerable assets, with 82% of organizations having at least one unpatched web service. And those vulnerabilities are not all new: 98% of organizations have at least one cloud asset vulnerability that’s over 10 years old.

Log4Shell and Spring4Shell, highly publicized and widely exploited flaws reported in 2021 and 2022 respe