Source: go.theregister.com – Author: Brandon Vigliarolo
Infosec In Brief Microsoft has decided to push its consumer customers to dump password in favor of passkeys.
The software giant announced the move Thursday, May 1, traditionally known as “World Password Day,” with a declaration it had joined forces with the Fast Identity Online (FIDO) Alliance to re-name the pseudo-holiday “World Passkey Day.”
Redmond’s not just playing with words as the company has also decided that all new Microsoft accounts will use passkeys by default. Passkeys, which involve the use of biometric identification like a fingerprint or face scan, PIN, and the like, will be the de facto new way to set up an account, and existing Microsoft users are being encouraged to visit their account settings page to delete their passwords and start using passkeys.
Microsoft has also sign in UI to prioritize passwordless methods and, perhaps most controversially, will start to decide which is the best login choice for users.
“For example, if you have a password and ‘one time code’ set up on your account, we’ll prompt you to sign in with your one time code instead of your password,” Microsoft wrote. “After you’re signed in, you’ll be prompted to enroll a passkey.”
Microsoft’s passkey push is not new. As we noted late last year, Microsoft isn’t giving its customers an option to continue using passwords, saying that opting out of passkey invitations wasn’t possible.
The Windows giant has argued that passkeys are faster, more secure and less likely to end in a user not being able to login, and it’s intent on making sure everyone transitions to its preferred authentication technique.
“Although passwords have been around for centuries, we hope their reign over our online world is ending,” Microsoft said.
Maybe this will help rehabilitate the company’s poor record on security?
Critical vulnerabilities: NetWeaver under exploit
Remember that 10.0 CVSS vulnerability we found in SAP NetWeaver in late April? We suspected at the time that it might have been exploited before news of the issue emerged.
Now we know for sure that it was exploited, thanks to the addition of CVE-2025-31324 to CISA’s known exploited vulnerabilities catalog.
Elsewhere in actively exploited critical vuln news:
- CVSS 9.8 – CVE-2025-42599: There’s a stack-based buffer overflow vulnerability in Active! Mail 6 6.60.05008561 and earlier versions.
- CVSS 9.1 – CVE-2024-38475: Apache HTTP Server 2.4.59 and earlier allows for improper escaping of output in mod_rewrite, allowing attackers to map URLs to filesystem locations, resulting in code execution or source code disclosure.
- CVSS 8.8 – CVE-2025-3928: An unspecified vulnerability in Commvault Web Server can allow exploitation of affected systems by a bad actor via webshell.
- CVSs 8.6 – CVE-2025-1976: Brocade’s FabricOS versions 9.1.0 through 9.1.1d6 contain a code injection vulnerability because root access was removed without proper accompanying restrictions for local users with admin privilege.
Raytheon settles charges it lied to feds about cybersecurity compliance
Defense contractor Raytheon and one of its former subsidiaries have settled with the US government to resolve claims they failed to comply with federal cybersecurity regulations.
Raytheon agreed to the settlement after it was accused of not implementing required security controls on a system it developed to handle unclassified work for 29 different contracts with the Department of Defense between 2015 and 2021. Nightwing, a cybersecurity and intelligence company that bought a Raytheon subsidiary called Raytheon Cyber Solutions after the time of the alleged infractions, was also part of the settlement agreement.
The Department of Justice said in the settlement order [PDF] that Raytheon failed to meet all the cybersecurity requirements of federal acquisition regulation 52.204-21 and NIST special publication 800-171 [PDF]. By failing to comply with those requirements, Raytheon and Nightwing also allegedly violated defense federal acquisition regulation 252.204-7012, which covers the security of DoD information and cyber incident reporting, the DoJ said.
Raytheon and Nightwing have agreed to pay out $8.4 million to resolve the matter, $1.5 million of which will go to a former Raytheon Director of Engineering who blew the whistle on the alleged misconduct.
Apple AirPlay protocol vulnerable to exploitation
A group of security researchers have found a series of vulnerabilities in Apple’s AirPlay protocol and the AirPlay SDK that could allow an attacker to do a variety of nasty things on any device – both Apple’s and third-party kit – that uses the media streaming feature.
Dubbed “AirBorne” by researchers at cybersecurity firm Oligo, the exploitation allows a potential attacker to dump malware, perform zero-click RCE, read files, cause denial of service conditions, or conduct MITM attacks. What’s worse, all it takes to spread is an infected device joining a network with other AirPlay-compatible hardware.
“Because AirPlay is a fundamental piece of software for Apple devices as well as third-party devices that leverage the AirPlay SDK, this class of vulnerabilities could have far-reaching impacts,” the Oligo team noted.
Patches are available now for Apple devices, but Oligo expects the vulnerabilities to linger for years thanks to the many third-party devices that use AirPlay. Oligo recommends that anyone with vulnerable, unpatched AirPlay devices on their network restrict AirPlay communication on port 7000 to trusted devices only, disable AirPlay endpoints not in use, and restrict AirPlay settings to only allow current users.
FBI publishes list of LabHost domains
The FBI has released a CSV file containing a list of some 42,000 domains used by defunct dark web phishing-as-a-service site LabHost in a bid to raise awareness, the agency said.
Law enforcement took down LabHost was last year after several years of tracking the folks behind it, 35 of whom were arrested around the world following the seizure of the platform.
Given the platform has remained down, the FBI noted [PDF] that the 42,000 domains in the list “are historical in nature”. While those domains are no longer a threat, cybersecurity pros and threat intelligence experts may still find the list a useful source of info on threat actor tactics and techniques.
Six-year old ecommerce backdoor roars to life around the world
Breach detection firm Sansec found a fresh wave of attacks directed at a six-year old backdoor in a number of popular ecommerce packages that use the open source Magento platform, leaving between 500 and 1,000 online stores running backdoored software.
The companies hit by the attacker are Tigren, Magesolution, and Meetanshi. Sansec said their servers appear to have been breached six years ago in a supply chain attack that infected a collective 21 packages from the three vendors. Any ecommerce site running one of those packages downloaded in the last six years is presumably now affected.
Sansec didn’t mention any victims by name, but noted that “a $40 billion multinational” firm had fallen prey to the attack, which hides its backdoor in License.php or LicenseApi.php files.
Anyone using software from one of the three firms is advised to investigate their systems immediately for signs of the backdoor’s presence. ®
Original Post URL: https://go.theregister.com/feed/www.theregister.com/2025/05/04/security_news_in_brief/
Category & Tags: –
Views: 2