Security News > 2020
If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities. These include two elevation of privilege bugs in Windows Installer, a security bypass in Secure Boot, and an information disclosure vulnerability in Edge and IE. Once again, Remote Desktop was cause for alarm as patches for two remote code execution flaws in the client-side of the administration tool will need to be tested and installed when possible.
Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. The update includes a patch for the zero-day memory-corruption vulnerability disclosed in late January that's under active attack.
To mark the occasion, Microsoft has released fixes for 99 vulnerabilities - 12 critical, one of which is being exploited in the wild - and Adobe 42, most of which are critical and none actively exploited. Microsoft fixed nearly 100 vulnerabilities this Tuesday, interspersed through a number of products: Windows, Edge, IE, SQL Server, Exchange Server, Office, and more.
Cosmetic company Estée Lauder exposed 440 million records to the Internet in a database that was left accessible without proper protection, a security researcher says. The exposed database was discovered on January 30 by Security Discovery security researcher Jeremiah Fowler, who attempted to contact Estée Lauder immediately after identifying user email addresses in the database.
Elastic Stack 7.6 streamlines automated threat detection with the launch of a new SIEM detection engine and a curated set of detection rules aligned to the MITRE ATT&CK knowledge base, brings performance improvements to Elasticsearch, makes supervised machine learning more turnkey with inference-on-ingest features, and deepens cloud observability and security with the launch of new data integrations. Chasing down an error in the Elastic Logs app or investigating a threat in Discover are just a few of the many things that will be faster by simply upgrading to 7.6.
The developers of the Emotet Trojan have created a new way to spread it to more victims, security firm Binary Defense reports. Attackers are using unsecured WiFi networks as a way to deliver the malware to more devices.
Intel is warning of a high-severity flaw in the firmware of its converged security and management engine, which if exploited could allow privilege escalation, denial of service and information disclosure. Another critical flaw discovered in May could allow an authenticated user to enable escalation of privilege over network access in CSME. Overall, Intel patched six flaws on Tuesday, including the high-severity flaw in CSME. The remainder of the vulnerabilities were medium and low-severity.
Swiss authorities said Tuesday they have opened an investigation into allegations a Zug, Switzerland-based maker of encryption devices was a front operated by the CIA and West German intelligence that enabled them to break the codes of the countries that used their products. A joint investigation published Tuesday by Germany's ZDF public broadcaster and The Washington Post based on documents from the CIA and Germany's BND foreign intelligence agency revealed that Crypto AG made millions of dollars for the two agencies, while providing them with access to the encrypted communications of more than 120 countries for decades.
Microsoft disclosed the existence of the Internet Explorer zero-day on January 17, when it promised to release patches and provided a workaround. Microsoft has credited Google's Threat Analysis Group and Chinese cybersecurity firm Qihoo 360 for reporting the vulnerability.
US and German intelligence services raked in the top secret communications of governments around the world for decades through their hidden control of a top encryption company, Crypto AG, US, German and Swiss media reported Tuesday. Together they rigged Crypto's equipment to be able to easily break the codes and read the government's messages, according to reports by the Washington Post, German television ZTE and Swiss state media SRF. - 'Coup of the century' -.