Security News > 2021 > September

Stanley Black & Decker has been working with TrueU since 2018, and the passwordless protection they offered "Sounded too good to be true," said Rhonda Gass, VP and chief information officer. Passwordless security is on the rise-check out our previous reporting on other companies offering tools to move us toward a passwordless future-and will likely include a mix of multifactor authentication like biometric verification, and passive signals that may ask a user for additional verification.

Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges. Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher. The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Another zero-day in Apple's software is being actively exploited by attackers, forcing the company to push out security updates for macOS Catalina and iOS 12. Flagged by researchers Erye Hernandez and Clément Lecigne of Google's Threat Analysis Group and Ian Beer of Google Project Zero, the vulnerability is a type confusion issue found in XNU, the kernel of Apple's macOS and iOS operating systems.

The Global Commission on the Stability of Cyberspace is worried its guidance on preventing the internet and all it connects becoming a casualty of war is being misinterpreted. The first, the Norm on non-interference with the public core of the Internet, seeks to forbid attacks on the Domain Name System, DNSSEC, WHOIS information services, systems operated by the Internet Assigned Numbers Authority and of Regional Internet Registries.

Cisco has patched three critical vulnerabilities affecting components in its IOS XE internetworking operating system powering routers and wireless controllers, or products running with a specific configuration.The worst of the flaws received the highest severity rating, 10 out of 10; it affects the Cisco Catalyst 9000 Family Wireless Controllers that includes the enterprise-class Catalyst 9800-CL Wireless Controllers for Cloud.

SonicWall has patched a critical security flaw impacting several Secure Mobile Access 100 series products that can let unauthenticated attackers remotely gain admin access on targeted devices. The SMA 100 series appliances vulnerable to attacks targeting the improper access control vulnerability tracked as CVE-2021-20034 includes SMA 200, 210, 400, 410, and 500v. There are no temporary mitigations to remove the attack vector, and SonicWall strongly urges impacted customers to deploy security updates that address the flaw as soon as possible.

Here's a look at the most interesting product releases from the past week, featuring releases from CoSoSys, Druva, McAfee, Nutanix and Stairwell. Customers adopting the Nutanix Cloud Platform with AOS 6 gain access to new Business Continuity and Disaster Recovery capabilities previously only found in specialized solutions.

With a myriad of risks and limited security budgets, how do organizations decide which projects to prioritize? Many governance, risk management and compliance professionals believe risk quantification is the answer. Risk quantification also enables risk professionals to communicate risk to leaders and other stakeholders in a shared language everyone understands: dollars and cents.