EU Lawmakers Finalize Cyber Security Rules That Panicked Devs

Infosec in brief The European Union’s Parliament and Council have reached an agreement on the Cyber Resilience Act (CRA), setting the long-awaited security regulation on a path to final approval and adoption, along with new rules exempting open source software.

The CRA was proposed by the European Commission in September 2022 and imposes mandatory cyber security requirements for all hardware and software products – from baby monitors to routers, as the EU Commission put it.

Once in force, which will happen 20 days after its adoption by Parliament and the Council, the CRA will require hardware and software makers to meet some intimidating targets. Included in the rule is a 24-hour disclosure period for any newly-discovered security flaw under active exploitation, five years of security patch support, thorough documentation of all security features, and more.

Manufacturers, importers and distributors will have 36 months to adopt the requirements or face fines up to €15 million or 2.5 percent of total worldwide annual turnover.

While better security is all well and good, concerns have been raised over the potential effect the CRA could have on open source software, which is often maintained by few people despite the importance it can often have to larger products. Open source maintainers may find it hard to meet short deadlines for patches, documentation and disclosure.

Fears over the CRA were voiced as recently as October, when it was apparent that the Commission had largely ignored the open source community as it finalized the Act.

Luckily, the latest version of the CRA appears to address those concerns.

“In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation,” the proposed version of the CRA reads.

“We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community,” lead member of the European parliament (MEP) Nicola Danti explained regarding the CRA agreement. “Only together will we be able to tackle successfully the cyber security emergency that awaits us in the coming years.”

Critical vulnerabilities: Just a couple footnotes

The shortness of today’s critical vulnerabilities list isn’t to say it hasn’t been a busy week on the critical vulnerabilities front – quite the contrary.

We had a data-destroying bug reported in OpenZFS, Google patched six vulnerabilities in Chrome – including one under active exploit – and Apple issued an emergency patch to WebKit for a pair of vulnerabilities already under attack on iPhones, iPads and Macs.

A couple of other issues didn’t grab as many headlines this week:

  • CVSS 9.8 – Multiple CVEs: Delta Electronics’ InfraSuite Device Master monitoring software contains a series of vulnerabilities that could let an attacker obtain plaintext credentials and execute arbitrary code.
  • CVSS 9.1 – Multiple CVEs: Several PTC industrial networking products are vulnerable to heap-based buffer overflow and are improperly validating certificates, which could allow an attacker to crash devices and steal data without the need to authenticate.

TikTokers defeat Montana’s ban on their favorite app

The US state of Montana’s ban on TikTok, due to take effect on January 1, 2024, has been blocked by a federal judge who decreed the law would “limit constitutionally protected First Amendment speech.”

The law, known as SB 419, passed in May, is unlikely to pass a scrutiny review, the judge found.

“Despite the state’s attempt to defend SB 419 as a consumer protection bill, the current record leaves little doubt that Montana’s legislature and attorney general were more interested in targeting China’s ostensible role in TikTok than with protecting Montana consumers,” explained judge Donald W. Molloy of the US District Court for Montana.

The judge’s decision was made in response to a lawsuit brought by a group of TikTok users who were quietly being funded by the social network. Regardless, it appears Montana’s legislature was going beyond its authority, Molloy found.

TikTok applauded the move, while Montana’s attorney general, the defendant in the TikTokers’ case, only wanted to remind everyone that the fight isn’t over, and the State still has a chance to appeal.

What a steal: Nearly two million sets of employee data lifted from US dollar stores

US discount retail chains Dollar Tree and Family Dollar have had nearly two million sets of employee data leaked after a breach at a third-party vendor.

Zeroed-In Technologies, which provides analytics software for HR departments at the two chains, told the Maine attorney general’s office of a breach that happened way back in August, but which was only recently reported.

According to a letter sent to affected individuals, names, dates of birth and social security numbers may have been exposed – but Zeroed-In isn’t entirely sure. “While the investigation was able to determine that … systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor.”

Scarce other details were provided. Additionally, it’s unclear whether Zeroed-In customers aside from the pair of dollar store chains were affected. Zeroed-In customers who haven’t heard from the firm should probably check to see if they were caught up in the incident. ®