Security News

Google Warns of New Android 0-Day Vulnerability Under Active Targeted Attacks
2021-11-02 22:20

Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks. Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.

Google Warns of New Android 0-Day Vulnerability Under Active Targeted Attacks
2021-11-02 22:20

Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks. Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.

Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs
2021-10-28 21:08

Google on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild. The internet giant's Threat Analysis Group has been credited with discovering and reporting the two flaws on September 15, 2021, and October 26, 2021, respectively.

Apple ships Monterey with security updates, fixes 0-day in Watch and TV products, updates iDevices
2021-10-27 22:16

Big Sur gets a version-bump to 11.6.1, while Catalina gets an old-version-style patched labelled Security Update 2021-007, but not a version number change. Importantly, these updates retrofit the iOS 15.0.2 patch to the Watch and TV product lines.

Update Your Windows PCs Immediately to Patch New 0-Day Under Active Attack
2021-10-15 07:12

Microsoft on Tuesday rolled out security patches to contain a total of 71 vulnerabilities in Microsoft Windows and other software, including a fix for an actively exploited privilege escalation vulnerability that could be exploited in conjunction with remote code execution bugs to take control over vulnerable systems. At the top of the list is CVE-2021-40449, a use-after-free vulnerability in the Win32k kernel driver discovered by Kaspersky as being exploited in the wild in late August and early September 2021 as part of a widespread espionage campaign targeting IT companies, defense contractors, and diplomatic entities.

S3 Ep54: Another 0-day, double Apache patch, and Fight The Phish [Podcast]
2021-10-14 18:33

Apache patches an embarrassing bug and then has to patch the patch. Oh! No! The computer that punched a user in the face.

Apple quietly patches yet another iPhone 0-day – check you have 15.0.2
2021-10-12 18:03

We were going to say "Unexpected updates", but all Apple security patches are, of course, unexpected by design. Apple deliberately announces security fixes only after they've been published, so you couldn't plan for them even if you wanted.

New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks
2021-10-10 19:57

The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "Incomplete fix" for an actively exploited path traversal and remote code execution flaw that it patched earlier this week. CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.

Actively exploited Apache 0-day also allows remote code execution
2021-10-06 15:29

These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution abilities. The path traversal vulnerability in Apache's HTTP server, first reported by BleepingComputer, has actively been exploited in the wild before the Apache project was notified of the flaw in September, or had a chance to patch it.

Exploit code released for three iOS 0-days that Apple failed to patch
2021-09-24 11:13

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.