Security News

This follows an intriguing month of Firefox 100 releases, with Firefox 100.0 arriving, as did Chromium 100 a month or so before it, without any trouble caused by the shift from a two-digit to a three-digit version number. No doubt in part due to the efforts of both Google's Chromium and Mozilla's Firefox coders, the 100.0 release of both browsers was ultimately uneventful.

Microsoft has released a workaround for a zero-day flaw that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said. The remote control execution flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool, which, ironically, itself collects information about bugs in the company's products and reports to Microsoft Support.

Microsoft, Google, Apple and others frequently release fixes for vulnerabilities "Under active attack." Vulnerabilities in Log4j, or the myriad of network device flaws discovered in the last three years against F5, Citrix, Palo Alto and SonicWall, consume news cycles because the affected systems are used in large corporate infrastructure. The risk of untrusted USB sticks has been around for over a decade - it was likely the infection vector for the Stuxnet attacks in Iran in 2010 - and it is widely understood as a "Security 101" concept, but attackers wouldn't continue to use these techniques if they didn't work.

Google Project Zero reported 58 exploited zero-day vulnerabilities in 2021, a record in the short time the team of security researchers has been keeping tabs. In a year-in-review report on the number instances a zero-day bug has been exploited in the wild, researchers noted the number a twofold jump in detected flaws since 2020.

Apple, as ever, isn't saying anything about the platforms that didn't get updates, so it's impossible to say whether they're immune and thus unaffected, affected but simply being ignored, or affected and still awaiting updates that will show up in a few days. Intriguingly, Apple's core Security Updates page at HT201222 reports that there are updates denoted tvOS 15.4.1 and watchOS 8.5.1, but Apple merely remarks that these updates have "No published CVE entries".

Apple rushed out patches for two zero-days affecting macOS and iOS Thursday, both of which are likely under active exploitation and could allow a threat actor to disrupt or access kernel activity. Apple released separate security updates for the bugs - a vulnerability affecting both macOS and iOS tracked as CVE-2022-22675 and a macOS flaw tracked as CVE-2022-22674.

A zero-day remote code execution vulnerability has come to light in the Spring framework shortly after a Chinese security researcher briefly leaked a proof-of-concept exploit on GitHub before deleting their account. According to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit versions 9 and later and is a bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild. Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.

Mozilla has published Firefox 97.0.2, an "Out-of-band" update that closes two bugs that are officially listed as critical. Access to the details of the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.

Google on Monday rolled out fixes for eight security issues in the Chrome web browser, including a high-severity vulnerability that's being actively exploited in real-world attacks, marking the first zero-day patched by the internet giant in 2022. The shortcoming, tracked CVE-2022-0609, is described as a use-after-free vulnerability in the Animation component that, if successfully exploited, could lead to corruption of valid data and the execution of arbitrary code on affected systems.