Security News > 2020 > November

A researcher at cybersecurity services provider IOActive has identified a privilege escalation vulnerability in Windows that can be exploited by abusing games in the Microsoft Store. Ferrante discovered the vulnerability after Microsoft announced that it started allowing mods for some games in the Microsoft Store.

Cisco has disclosed today a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software with proof-of-concept exploit code publicly available. While security updates are not yet available for this arbitrary code execution vulnerability, Cisco is working on addressing the zero-day, with a fix coming in a future AnyConnect client release.

The source code for the KPot information stealer was put up for auction, with the REvil ransomware operators apparently being the sole bidders, threat intelligence provider Cyjax reports. The KPot developers announced a couple of weeks ago that they were auctioning the malware's source code, with a starting price of $6,500.

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile version. The former was found and reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand, and Sergei Glazunov of Google Project Zero.

Microsoft is experiencing an outage that causes website content not to display correctly and for the Microsoft Store app to fail to load. When visiting www. As the Microsoft Store app pulls its data from the microsoft.com website, it also prevents the Microsoft Store app from loading.

A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites. This tactic has been used by several Office 365 credential phishing sites according to WMC Global analysts who spotted while being deployed as part of the same phishing kit created and sold by a single threat actor to multiple users.

Adobe on Tuesday published updated versions of its Acrobat and Reader software to fix fourteen flaws, four of which have been designated "Critical." These updates should be installed as soon as possible to close off their vulnerabilities. Adobe generally issues patches on "Patch Tuesday," a date observed by many tech companies that falls on the second Tuesday of every month.

To be fair, Microsoft did revise and upgrade the default password policy and introduced additional, granular fine-tuning options over the years, but for some enterprise environments that's still not enough, so Specops Password Policy to the rescue! For the purpose of this review, the installation was done on a server containing all necessary services: Specops Sentinel - a password filter that is installed on all domain controllers, and Specops Password Policy admin tools.

For attackers, it's almost a no-brainer: phishing is cheap and humans are fallible, even after going through anti-phishing training. That's why defenders must preempt attacks, he says, and reinforce a lesson during a live attack.

A recent survey revealed that, on average, organizations must comply with 13 different IT security and/or privacy regulations and spend $3.5 million annually on compliance activities, with compliance audits consuming 58 working days each quarter. To select a suitable compliance solution for your business, you need to think about a variety of factors.