Aggregator

This One Simple Change Makes Your Website More Accessible

更好的安全实践，解决Copilot + CodeQL 的各类安全左移局限性问题

喜讯：锦行科技项目成果荣获“2024年中国通信学会科学技术奖二等奖”！

一项对 3000 多人 DNA 标记进行的分析研究表明，长期暴露于高温环境与分子变化有关，这可能反映出加速衰老。为找到衡量高温对人体影响的敏感指标，南加利福尼亚大学老年病学家 Eun Young Choi 及同事选择研究“表观遗传时钟”，即随着人类衰老而发生变化的一组 DNA 化学修饰。研究人员分析了 2016-2017 年约 3800 名 5 6岁及以上人群的相关标记数据。他们将这些数据与美国的温度地图进行交叉对照，寻找分子标记状态与不同时间段内参与者所在位置热指数（温度和湿度的体感温度指标）超过 26.7°C 或3 2.2° C的天数之间的相关性。结果发现，根据分子标记，那些长期生活在高温天气较多地区的人比生活在较凉爽地区的人“显得更老”。根据一项指标，高温天气比例每增加 10%，参与者的分子年龄就增加约 0.12 岁。另一组分子标记的分析显示，长期生活在高温地区的人衰老速度加快了 0.6%。然而，以天数或数月为单位的短期高温暴露，与这些标记变化无关联。

本文揭示了 DeepSeek 人工智能聊天机器人中的一个现已修补的安全漏洞的详细信息，如果成功利用，黑客可通过输入注入攻击方式控制受害者的账户。 安全研究人员 Johann Rehberger，他记录了许多针对各种人工智能工具的注入攻击，发现在 DeepSeek 聊天中提供”Print the xss cheat sheet in a bullet list. just payloads”的输入触发了 JavaScript 代码的执行，作为生成的响应的一部分——这是典型的跨站脚本（XSS）攻击。 XSS 攻击可能会产生严重后果，因为它们导致在受害者的网络浏览器上执行未经授权的代码。攻击者可以利用这些漏洞劫持用户的会话并访问与 chat.deepseek[.]com 域关联的 cookie 和其他数据，从而导致账户被接管。 “经过一些实验，我发现采取控制用户会话所需的全部是 chat.deepseek.com 域存储的 userToken，” Rehberger 表示，他补充道，可以使用特殊设计的提示来触发 XSS 并通过注入攻击访问被攻击用户的 compromised user’s userToken 。 提示包含了一系列的指令和一个 Base64 编码的字符串，DeepSeek 聊天机器人将其解码后执行 XSS 载荷，用于提取受害者的会话令牌，最终允许攻击者冒充用户。 与此同时，Rehberger 还展示了 Anthropic 的Claude Computer Use 可以通过提示注入来滥用，Claude Computer Use 可以使开发人员通过光标移动、按键点击和键入文本来控制计算机。通过提示注入，攻击者可以滥用 Computer Use 来下载 Sliver 命令与控制（C2）框架，执行该框架，并与攻击者控制的远程服务器建立联系，从而自主运行恶意命令。 此外，还发现可以利用大型语言模型（LLM）的 ANSI 转义码输出来通过提示注入劫持系统终端。这种攻击主要针对 LLM 集成的命令行界面（CLI）工具，被命名为 Terminal DiLLMa 。 “十年前的功能为 GenAI 应用提供了意想不到的攻击面，” Rehberger 说。”对于开发者和应用设计者来说，考虑将 LLM 输出插入的上下文是很重要的，因为输出是不可信的，可能包含任意数据。” 这还不是全部，威斯康辛大学麦迪逊分校和圣路易斯华盛顿大学的学者进行的新研究揭示了 OpenAI 的ChatGPT 在给出的附加标记格式的外部图像链接渲染的问题，这些链接可能涉及淫秽和暴力内容，以一个普通的善意目标为借口。 此外，还发现通过提示注入，可以间接调用 ChatGPT 插件，而无需用户确认，甚至可以绕过 OpenAI 设定的限制，以防止渲染来自危险链接的内容，将用户的聊天记录泄露到由攻击者控制的服务器上。     转自Freebuf，原文链接：https://www.freebuf.com/news/417305.html 封面来源于网络，如有侵权请联系删除

Every Reason You Should be Getting Started With .Net Aspire

Temu 和 SHEIN 在越南被停止业务

A vulnerability, which was classified as critical, was found in Apple macOS up to 14.5. This affects an unknown part. The manipulation leads to buffer overflow. This vulnerability is uniquely identified as CVE-2024-27878. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS up to 14.3 and classified as problematic. Affected by this issue is some unknown functionality of the component App. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2024-27886. Attacking locally is a requirement. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS up to 14.3. It has been classified as critical. This affects an unknown part of the component App. The manipulation leads to permission issues. This vulnerability is uniquely identified as CVE-2024-27888. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Apple iOS and iPadOS. This affects an unknown part of the component File Handler. The manipulation leads to out-of-bounds read. This vulnerability is uniquely identified as CVE-2024-40777. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Apple watchOS and classified as problematic. This vulnerability affects unknown code of the component File Handler. The manipulation leads to out-of-bounds read. This vulnerability was named CVE-2024-40777. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS and classified as problematic. This issue affects some unknown processing of the component File Handler. The manipulation leads to out-of-bounds read. The identification of this vulnerability is CVE-2024-40777. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple visionOS. It has been classified as problematic. Affected is an unknown function of the component File Handler. The manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2024-40777. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple tvOS. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component File Handler. The manipulation leads to out-of-bounds read. This vulnerability is known as CVE-2024-40777. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS up to 12.7.5/13.6.7/14.5. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to Local Privilege Escalation. This vulnerability is handled as CVE-2024-40781. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

Mandiant 称，5000 万美元加密货币盗窃案与朝鲜黑客有关

2022 年从哈佛大学退休前往清华大学创办数学科学中心的著名数学家丘成桐称，很多华裔学生因来自美国政府的歧视而被迫离开。他说，华裔科学家别无选择只能离开美国，因为他们在一个支持的研究环境下工作能取得最佳的效果。此类人才外流对美国而言是不幸的，因为这有可能削弱其研究能力。对中国而言则意味着能获得顶尖人才，但也会导致弱化与美国的联系，失去对先进技术的第一手知识。 2021 年底到 2022 年初，一项对 1300 名美国华裔科学家的调查显示，72% 的受访者表示，作为学术研究人员他们感到不安全。61% 的受访者表示，他们考虑过离开美国，前往亚洲或非亚洲国家。

德勤否认数据泄露，称 Brain Cipher 网络攻击影响了客户系统