Cyber Security Today, July 1, 2024 – A critical patch for GitLab

Share post:

A critical patch for GitLab.

Welcome to Cyber Security Today. It’s Monday, July 1, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for

Happy Canada Day to listeners in this country. Thanks for tuning in on this long weekend.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

GitLab has released 14 security fixes for both the community and enterprise editions of its devops platform. Of those patches one is rated critical and three are rated high severity. The company strongly recommends all GitLab installations be upgraded immediately. For developers who don’t realize, GitLab patches are issued twice a month — on the second and fourth Wednesdays.

Personal data of more than 6 million people was stolen last November in a ransomware attack on Infosys McCamish Systems. It’s a division of the Infosys IT consulting giant that provides employee insurance services for organizations. Data stolen included names, Social Security numbers, dates of birth, email addresses and passwords, medical treatment information and more. The precise number of victims was filed with the Maine attorney general’s office last week.

By contrast Ticketmaster last week wasn’t specific about the total number of victims in a recent data theft from one of its third-party data services provider. Ticketmaster only says in its filing to the state of Maine that there were more than 1,000 victims. A threat actor claims to have stolen personal information of 560 million people. Ticketmaster says those victimized bought tickets to events in the U.S., Canada and Mexico. Data stolen includes email addresses, phone numbers, encrypted credit card information as well as some other personal information provided to the company.

A new software vulnerability is published by researchers and cybersecurity companies every 17 minutes. That’s the conclusion of Skybox Security after looking at data in its annual Vulnerability and Threat Trends Report. Nearly half of all newly discovered vulnerabilities are classified as high or critical. This is why it’s vital for IT teams to prioritize which patches need to be installed based on the sensitivity of applications and data. Twenty-five per cent of vulnerabilities are exploited the same day as they are announced. Three quarters are exploited within 19 days.

How secure are the applications in your IT inventory? IT leaders are increasingly asking software providers to give them a software bill of materials so they can judge how vulnerable their applications are — particularly software that uses open source components. According to Checkmarx’s just-released State of Software Supply Chain Security, half of security leaders and developers surveyed say they request software bills of materials from software vendors. On the other hand about the same number admin they are not using this information effectively. However, the report also argues software bills of materials should be only a part of a software supply chain security program — especially if your organization builds its own applications.

Speaking of software supply chain hacks, on the latest Week in Review podcast I reported that a domain distributing the Polyfill open-source library used by websites for supporting old browsers is now distributing malware. Bleeping Computer reports this activity, as well as compromises of other code, can be traced to a common operator. This came after a researcher in China found a GitHub repository that included a file with a Cloudflare API token that could allow a knowledgeable person to do nasty things. The worry is hundreds of thousands of websites could have been or are still using compromised code.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

What is Ticketmaster saying to its customers?

Here's the letter that has been sent out out to Ticketmaster clients that a reader sent to me....

Will the “AI bubble” burst? Hashtag Trending for Wednesday, July 10, 2024

Europe may be reigning in big tech, but Canada and the US are struggling, despite public concern.  Analysts...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways