Security News > 2021 > September

Exploit code that could be used to achieve remote code execution on VMware vCenter Server vulnerable to CVE-2021-22005 is currently spreading online. Publicly disclosed earlier this week when VMware also addressed it, the bug comes with a critical severity rating of 9.8 and a strong recommendation to install the available patch.

Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization's home network. "It is critical that companies take a proactive stance to security and implement a long-term remote security strategy," continued Prassl.

Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild. The update was available immediately when BleepingComputer manually checked for new updates from Chrome menu > Help > About Google Chrome.

Microsoft is rushing to register Internet domains used to steal Windows credentials sent from faulty implementations of the Microsoft Exchange Autodiscover protocol. Many mail clients, including some versions of Microsoft Outlook and Office 365, incorrectly implement the Autodiscover protocol causing them to try and authenticate to third-party autodiscover.

The European Union has officially linked Russia to a hacking operation known as Ghostwriter that targets high-profile EU officials, journalists, and the general public. "These malicious cyber activities are targeting numerous members of Parliaments, government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data," European Council officials said in a press release today.

An Android malware called TangleBot has weaved its way onto the cyber-scene: One that researchers said can perform a bouquet of malicious actions, including stealing personal info and controlling apps and device functions. The site tells users they need an "Adobe Flash update." If they click on the subsequent dialog boxes, TangleBot malware installs.

"We get data from organizations that are testing vendors by trade, bug bounty vendors, and organizations that contribute internal testing data. Once we have the data, we load it together and run a fundamental analysis of what CWEs map to risk categories," the Open Web Application Security Project explains. The reason for leaving space for direct input from application security and development experts on the front lines is the fact that it takes time to find ways to test new vulnerabilities, and they can offer knowledge on essential weaknesses that the contributed data may not show yet.

One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves - and they're reaping the rewards.

If you have access to Apple's iOS 15 Developer Beta, learn how to use an important security feature called Mail Privacy Protection. If you're lucky enough to have access to the iOS 15 Developer Beta, you're probably already tinkering with all the new features, including Mail Privacy Protection.

Cisco is warning three critical security vulnerabilities affect its flagship IOS XE software, the operating system for most of its enterprise networking portfolio. The most severe of the critical bugs is an unauthenticated remote-code-execution and denial-of-service bug, affecting the Cisco Catalyst 9000 family of wireless controllers.