Google and Mozilla recently announced security updates for their Chrome and Firefox web browsers, and some of the vulnerabilities they patch are potentially severe.  Google announced the release of Chrome 130, which patches two vulnerabilities.   The first vulnerability, tracked as CVE-2024-10487, has been described as a critical out-of-bounds write issue in Dawn, the cross-platform implementation of the WebGPU standard. The second vulnerability patched with the release of Chrome 130 is CVE-2024-10488, a high-severity use-after-free in WebRTC.

Security researchers at Comparitech have sounded another US election warning after claiming that the majority of US county websites could be copied to spread disinformation and steal info.  The researchers analyzed the websites and official contact email addresses for 3144 US counties to compile its report. The researchers found that 57% of county websites are registered with non-.gov domains, meaning they could easily be spoofed with malign intent. Additionally, over half (55%) of counties in the seven swing states have non-.gov registered domains.

Free, a French telecommunications company and the country's second-largest Internet service provider (ISP), has recently disclosed that it fell victim to a cyberattack over the weekend. It was noted that a threat actor stole information from the company's internal management tool, gathered data on its subscribers, and attempted to sell the data on the Dark Web in a cybercrime forum. The hacker behind the breach, known as "drussellx," posted a message on the forum, putting two databases stolen from the ISP company up for auction.

The NSA has issued updated guidance on Russian SVR cyber operations, highlighting new tactics used to target U.S. networks and providing recommendations for mitigating these threats.

Security researchers at ThreatFabric have discovered a newer version of the LightSpy spyware, known for targeting iOS devices.  The researchers noted that it has been expanded to include capabilities for compromising device security and stability.  This latest version, identified as 7.9.0, is more sophisticated and adaptable than the original version, featuring 28 plugins compared to the 12 observed in the earlier version.

In response to recent cyberattacks, Kansas is moving forward with plans to centralize its IT systems across state agencies, aiming to bolster data security through standardized protocols.

Apple recently  announced fresh security updates for both iOS and macOS users, addressing over 70 CVEs across its platforms, including several bugs leading to protected file system modifications.  Apple noted that iOS 18.1 and iPadOS 18.1 are now rolling out to mobile users with patches for 28 vulnerabilities that could lead to information leaks, the disclosure of process memory, denial-of-service, sandbox escape, modification of protected system files, heap corruption, and access to restricted files.

About three dozen security flaws have been discovered in different open source Artificial Intelligence (AI) and Machine Learning (ML) models, some of which enable Remote Code Execution (RCE) and the theft of information. The flaws, found in tools such as ChuanhuChatGPT, Lunary, and LocalAI, were reported as part of Protect AI's Huntr bug bounty program. Two of the most severe flaws are in Lunary, a production toolkit used for Large Language Models (LLMs).

Marco Figueroa, Generative Artificial Intelligence (GenAI) bug bounty programs manager at Mozilla, has disclosed new jailbreak methods that can trick the AI-driven chatbot ChatGPT into generating Python exploits and a malicious SQL injection tool. One involves encoding malicious instructions in hexadecimal format, and the other involves using emojis. ChatGPT and other AI chatbots are trained not to provide potentially hateful or harmful information.

Google warns of a Russian cyber espionage and influence campaign targeting military recruits in Ukraine to hinder the country's mobilization efforts. A Telegram user named "Civil Defense" has been distributing allegedly free software to find Ukrainian military recruiters, but it is actually platform-specific malware. The software would install commodity malware and a decoy mapping application on Android devices that do not have Google Play Protect enabled. According to Google, the operation has delivered the Android backdoor "CraxsRat" and the "SunSpinner" malware to victims.