Aleksander W. Jarosz
June 20, 2023

New Vulnerabilities Related to Moveit; Potential Impact of Legislation on Large Language Models

Blog

the-analyst-prompt-website-banner-11

Another SQL Injection Vulnerability Has Been Reported For Moveit Software   

CVE-2023-35708 was reported on June 15. The newer vulnerability supersedes the original vulnerability CVE-2023-34362 reported May 31, and the June 9 vulnerability CVE-2023-35036. The new CVE-2023-35708 affects Moveit versions prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3).  Different mitigation steps are recommended depending on which patch vulnerable organizations have already applied. Reference the link from Progress for detailed steps to patch. (1

The reporting on Moveit since May 31 underscores the importance of implementing robust patch management practices. Organizations cannot patch and forget. Best practice requires further monitoring for patch updates, which may be released on an irregular schedule. Administrator teams must be keyed into such changes by monitoring for patch updates and understanding how those updates affect current efforts. The ability to address changing situations quickly and dynamically will greatly reduce exposure to known vulnerabilities.  

Large Language Model Policy Must Balance Security And Development  

The European Parliament passed a draft known as the A.I. (artificial intelligence) Act after two years of deliberation. The draft demonstrates increased attention and interest by officials to create policy to regulate large language model applications like ChatGPT (2). The legislation represents the most mature policy made public. It is very likely to set blueprints that will incentivize other nations to implement similar or related policies against generative software that expresses increased human-like capability. The US and China have publicized more limited, less comprehensive draft policies, and a handful of further countries demonstrate an interest in related legislation (3, 4). 

The European draft focuses on potential harm to humans potentially created using these new applications. The legislation also aims to regulate use by police and court systems. The use of facial recognition is one specific risk topic under further consideration, as well as model transparency and documentation.   

Large Language Models Have The Potential to Define A New Technological Era    

The technology is advancing quickly in the absence of regulations. The potential for new capability to rapidly emerge creates a power dynamic between nations over how to best balance control and development as pieces of these applications are absorbed and implemented by further technology. Too much regulation could greatly disincentivize development in some regions, shifting talent and technological benefits to other nations.

Too little regulation and developers could possibly sidestep weak policy, further developing applications that are poorly understood, and have a greater potential to be misused at a great cost to societies and governments through unpredictability. The European Union is likely to be viewed as a policy leader as a result of the comprehensive draft bill released. 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

You might also be interested in:

FIN7 delivering Clop ransomware; ChatGPT and Midjourney imposter apps deliver BatLoader

Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure

Russian Malware Network Dismantled; Iranian Threat Actors Attack PaperCut Servers

Appendix

1. MOVEit Transfer Critical Vulnerability – CVE-2023-35708 (June 15, 2023) - Progress Community.” https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023 (accessed Jun. 20, 2023).


2. A. Satariano, “Europeans Take a Major Step Toward Regulating A.I.,” The New York Times, Jun. 14, 2023. [Online]. Available: https://www.nytimes.com/2023/06/14/technology/europe-ai-regulation.html (accessed Jun. 20, 2023).


3. “Blueprint for an AI Bill of Rights | OSTP,”
The White House. https://www.whitehouse.gov/ostp/ai-bill-of-rights/  (accessed Jun. 20, 2023).

 
4. C. Che, “China Says Chatbots Must Toe the Party Line,” The New York Times, Apr. 24, 2023. [Online]. Available: https://www.nytimes.com/2023/04/24/world/asia/china-chatbots-ai.html (accessed Jun. 20, 2023).



 

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo