InfoSec Brief The EU Parliament and Council have reached an agreement on the Cyber ​​Resilience Act (CRA), setting the long-awaited security regulation on the path to final approval and adoption, as well as exempting open source software. New rules are also included.

The CRA was proposed by the European Commission in September 2022 and imposes mandatory cybersecurity requirements for all hardware and software products – from baby monitors to routers, the EU Commission said.

Once implemented, which will happen 20 days after being adopted by Parliament and the Council, the CRA will require hardware and software manufacturers to meet some intimidating targets. The terms include a 24-hour disclosure period for any newly discovered security flaws under active exploitation, five years of security patch support, thorough documentation of all security features, and more.

Manufacturers, importers and distributors will have 36 months to adopt the requirements or face a fine of up to €15 million or 2.5 percent of total worldwide annual turnover.

While improved security is all well and good, concerns have been raised over the potential impact of CRA on open source software, which is often maintained by a few despite its importance to larger products. Open source maintainers may find it difficult to meet short deadlines for patches, documentation, and disclosure.

Fears over the CRA were expressed as recently as October, when it became clear that the Commission had largely ignored the open source community when finalizing the Act.

Fortunately, the latest version of the CRA appears to address those concerns.

The proposed version of the CRA reads, “In order not to hinder innovation or research, free and open source software developed or supplied in the course of commercial activity should not be covered by this regulation.”

Nicola Danti, a leading Member of the European Parliament (MEP), said of the CRA agreement, “We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community.” “Only together will we be able to successfully respond to the coming cyber security emergency in the years to come.”

Serious Weaknesses: Just a Few Footnotes

The lack of a critical vulnerabilities list today does not mean that it has not been a busy week on the critical vulnerabilities front – quite the contrary.

We had a data-destroying bug reported in OpenZFS, Google patched six vulnerabilities in Chrome – one of which was under active exploitation – and Apple patched iPhones, iPads and Macs already under attack. Released an emergency patch to WebKit for a pair of vulnerabilities.

Some other issues did not make as much headlines this week:

CVSS 9.8 – Multiple CVEs: Delta Electronics’ InfraSuite device master monitoring software contains a series of vulnerabilities that could let an attacker obtain plaintext credentials and execute arbitrary code.

CVSS 9.1 – Multiple CVEs: Many PTC industrial networking products are vulnerable to stack-based buffer overflows and improperly validating certificates, which could allow an attacker to crash the device and steal data without needing to authenticate. Can give permission.

TikTokers beat back Montana’s ban on their favorite app

The US state of Montana’s ban on TikTok, set to take effect on January 1, 2024, has been blocked by a federal judge, who ordered the law to “limit constitutionally protected First Amendment speech.”

The judge found that the law, known as SB 419, passed in May, is unlikely to pass scrutiny.

“Despite the state’s effort to defend SB 419 as a consumer protection bill, the current record leaves no doubt that Montana’s legislature and Attorney General would rather target China’s direct role in TikTok than protect Montana consumers. were more interested in,” Judge Donald W. Molloy explained. of the U.S. District Court for Montana.

The judge’s decision was made in response to a lawsuit brought by a group of TikTok users who were quietly being funded by the social network. Despite this, it appeared that Montana’s legislature was exceeding its authority, Molloy found.

TikTok applauded the move, while the attorney general of Montana, the defendant in the TikTokers’ case, just wanted to remind everyone that the fight is not over, and the state still has a chance to appeal.

What a steal: Nearly two million sets of employee data lifted from US dollar store

US discount retail chains Dollar Tree and Family Dollar have had nearly two million sets of employee data leaked following a breach by a third-party vendor.

Zeroed-In Technologies, which provides analytics software for human resources departments at two chains, told the Maine Attorney General’s Office about a breach that occurred in August, but was only recently reported.

According to a letter sent to affected individuals, names, dates of birth and Social Security numbers may have been exposed — but ZeroID-In is not completely certain. “Although the investigation was able to determine that … the system was accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor.”

Scarce other details were provided. Additionally, it is unclear whether zero-in customers other than a pair of dollar store chains were affected. Zero-in customers who haven’t heard from the firm should probably check to see if they were caught in the incident.

Source: www.theregister.com