At a glance.
- Plex releases urgent security patch.
- Norwegian dam sabotage blamed on pro-Russian hackers.
- New HTTP/2 flaw can be used to launch major DDoS attacks.
Plex releases urgent security patch.
Media streaming platform Plex emailed users yesterday urging them to update their media servers as soon as possible due to a recently patched vulnerability, BleepingComputer reports. The flaw hasn't yet been assigned a CVE-ID, and the company hasn't shared additional details. The flaw affects Plex Media Server versions 1.41.7.x to 1.42.0.x.
BleepingComputer notes that Plex rarely emails customers about individual vulnerabilities, so users should take the warning seriously and update to version 1.42.1.10060.
Norwegian dam sabotage blamed on pro-Russian hackers.
The Norwegian Police Security Service (PST) has attributed an April cyberattack on a dam to pro-Russian hackers, the Associated Press reports. The hackers took control of the Bremanger dam's control systems and opened its floodgate, releasing more than seven million gallons of water before the incident was detected and remediated four hours later. The river was far below flood levels, so no damage was caused.
In a speech on Wednesday, PST director Beate Gangås said the incident appeared to be a display of the hackers' capabilities rather than an attempt to cause real damage. "They don’t necessarily aim to cause destruction, but to show what they are capable of," Gangås said. "The purpose of these kinds of actions is to exert influence and create fear or unrest in the population."
New HTTP/2 flaw can be used to launch major DDoS attacks.
Security researchers from Imperva and Tel Aviv University discovered a design flaw in HTTP/2 implementations that can be exploited to launch large-scale DDoS attacks, SecurityWeek reports. The flaw is a variant of the HTTP/2 Rapid Reset vulnerability that surfaced in 2023. Imperva has dubbed the new variant "MadeYouReset."
Imperva explains, "[T]he attack moves beyond resetting streams directly and instead targets the server’s behavior when handling invalid (but protocol-compliant) frames. But here’s the twist: the client never sends a single RST_STREAM frame. Instead, it sends carefully crafted frames that violate protocol expectations in subtle ways. The server, upon processing these frames, detects an invalid internal state and reacts by resetting the stream or the entire connection, essentially performing the attack on itself."
Multiple vendors, including Apache, Fastly, and Mozilla, have issued patches or mitigations for the flaw, according to Carnegie Mellon.
