This Month in Cybersecurity - November news roundup is here.
At Passbolt, our monthly news roundup keeps you informed on key stories impacting teams, businesses, and open-source advocates alike. From defining what truly qualifies as open source AI to new vulnerabilities in widely used software, here’s what you need to know to stay ahead.
Let’s dive in! 
1. The Open Source AI definition is out
The Open Source Initiative (OSI) has launched version 1.0 of the Open Source AI Definition (OSAID), setting clear standards for AI systems to qualify as open source. It requires transparency in design, training data details, and unrestricted use, modification, and sharing of AI models. While not mandating full dataset release, it demands enough data clarity for system recreation. Aimed at curbing “open-washing” by companies, the OSAID addresses AI’s unique complexities and offers a framework for truly open AI development. Supported by groups like Mozilla and SUSE, it is expected to shape future industry practices and policies.
| Date: | Oct 29, 2024 |
|---|---|
| Source: | The Newstack |
| Author: | Steven J. Vaughan-Nichols |
2. Google Cloud to enforce mandatory MFA by the end of 2025
Google Cloud will make multi-factor authentication (MFA) mandatory for all user accounts worldwide by the end of 2025 to enhance account security. MFA, which protects 99% of accounts against breaches, will be rolled out in phases, with notifications starting in late 2024 to ensure a smooth transition. Users can choose Google’s inbuilt MFA, such as passkeys linked to biometrics, or third-party solutions. This move addresses the risks of phishing and credential theft, aligning Google with other tech giants like Microsoft and Apple in adopting MFA as a standard. Only Google Cloud accounts, not regular Google accounts, will be affected.
| Date: | Nov 15, 2024 |
|---|---|
| Source: | CPO Magazine |
| Author: | Alicia Hope |
3. Critical 7-Zip vulnerability let attackers execute arbitrary code
A critical vulnerability (CVE-2024-11477) has been identified in 7-Zip, allowing attackers to execute arbitrary code through maliciously crafted archives. With a high severity score of 7.8, the flaw lies in the Zstandard decompression implementation, where improper data validation can lead to memory issues and system compromise. Exploiting this vulnerability requires minimal technical expertise and poses risks like executing code with user-level access or gaining full system control. The issue has been fixed in version 24.07, and users must manually update as 7-Zip lacks an auto-update feature. Prompt patching is strongly advised to mitigate these risks.
| Date: | Nov 25, 2024 |
|---|---|
| Source: | Cyber Security News |
| Author: | Guru Baran |
4. RomCom exploits zero-day Firefox and Windows flaws in sophisticated cyberattacks
The RomCom threat actor exploited zero-day vulnerabilities in Mozilla Firefox (CVE-2024-9680) and Windows Task Scheduler (CVE-2024-49039) to deliver its malware, RomCom RAT. These attacks used a fake website to execute code and bypass Firefox’s sandbox, leveraging Windows flaws to gain elevated privileges. Targeting users in Europe and North America, the malware installation required no user interaction. Both vulnerabilities have been patched, but the attack highlights RomCom’s advanced capabilities and focus on espionage and cybercrime.
| Date: | Nov 26, 2024 |
|---|---|
| Source: | The Hacker News |
| Author: | Ravie Lakshmanan |
5. Researchers discover first UEFI bootkit malware for Linux
Researchers have identified Bootkitty, the first UEFI bootkit targeting Linux, signaling a shift in bootkit threats from Windows to Linux. This proof-of-concept malware bypasses kernel signature verification to load malicious components during boot but currently targets only specific Ubuntu versions due to its buggy and limited design. Though not yet seen in active attacks, Bootkitty highlights growing attacker interest in Linux as its enterprise use increases. Detection details have been shared to help mitigate risks.
| Date: | Nov 27, 2024 |
|---|---|
| Source: | Bleeping Computer |
| Author: | Bill Toulas |
6. Microsoft hits back at claims it slurps your Word, Excel files to train AI models
Microsoft is under scrutiny for its Connected Experiences feature in Microsoft 365, amid concerns it may use customer data from Word and Excel to train AI models. Microsoft denies this but acknowledges in its privacy policy that data may be used to develop AI. Questions remain about whether the default “on” setting constitutes consent. The company clarified that enterprise customers might permit data use for custom AI models but insists it doesn’t train AI on customer data without explicit permission. The controversy highlights the need for clearer transparency in data usage and AI practices.
| Date: | Nov 27, 2024 |
|---|---|
| Source: | The Register |
| Author: | Richard Speed |
7. Bluesky’s open API means anyone can scrape your data for AI training
Bluesky’s open API allows third parties to scrape public user data for purposes like AI training, as highlighted when a Hugging Face researcher collected 1 million public posts for machine learning research. Though the dataset was removed after backlash, the incident highlights that public posts on Bluesky are accessible to anyone. While Bluesky is exploring ways to let users set consent preferences, enforcement beyond its platform remains uncertain. As the platform grows in popularity, it faces increasing scrutiny similar to other major social networks.
| Date: | Nov 27, 2024 |
|---|---|
| Source: | Tech Crunch |
| Author: | Paul Sawers |
Conclusion
If any of these stories caught your attention—like the implications of Microsoft’s AI data policies or the open source AI definition—let’s discuss. Share your take in the community forum, or let us know about news we might’ve missed. 
https://hubs.li/Q02bCy160.
We’re considering a move to Bluesky platform. What are your thoughts? Is Bluesky the right space for security-focused discussions, or do the data privacy concerns give you pause? Share your perspective in our community forum—we’d love to hear from you!