Security News > 2021

Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. Last month, we reported on a bug in the Windows 10 console multiplexer driver, condrv.

Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. Last month, we reported on a bug in the Windows 10 console multiplexer driver, condrv.

Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. Last month, we reported on a bug in the Windows 10 console multiplexer driver, condrv.

Automated vulnerability reports generated by scanning tools are returning hundreds, if not thousands of vulnerabilities, and with a great deal of organizations reporting a lack of skilled cybersecurity professionals, teams are already stretched too thin to fix each one. In an effort to resolve this, developers and security professionals have traditionally relied on vulnerability scoring systems to help them prioritize the most critical flaws and streamline remediation efforts.

I've seen this collaboration up close due to my company's involvement in helping to secure Super Bowl LV. The Super Bowl is designated as a National Special Security Event, which means the Department of Homeland Security and other government agencies are deeply involved. Securing the Super Bowl is highly complex since the task is so much more than simply ensuring the physical safety of the players, their support teams, the fans, and the stadium.

BluBracket announced its Community Edition, a free, robust and automated tool for finding passwords, tokens and other security vulnerabilities in code. "Source code is quickly becoming the largest surface area of attack being exploited by hackers. BluBracket is exclusively focused on addressing the risks in your source code, and now is the right time to make our Community Edition freely accessible so developers and engineers have a robust and professional way to keep credentials out of code."

Apple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system. Sudo is a common utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user.

In what's a novel supply chain attack, a security researcher managed to breach over 35 major companies' internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution. The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources.

North Korean attacks on crypto exchanges reportedly netted an estimated $316m in cryptocurrency in 2019 and 2020, according to a report by Japan's Nikkei. The outlet says it saw that figure in a draft of a United Nations report destined for the desk of the Security Council's North Korea Sanctions Committee.

Antivirus solutions provider Emsisoft revealed last week that a third-party had accessed a publicly exposed database containing technical logs. The database was initially exposed on January 18, 2021, and remained so until the data breach was identified, on February 3.