Security News > 2021

Apple today released software updates to patch vulnerabilities in iPhones and iPads that may have been exploited by miscreants to silently snoop on victims from afar. Apple said it is "Aware of a report that this issue may have been actively exploited." How would one inject malicious code into a device? Look no further than.... CVE-2021-1871, CVE-2021-1870: Also fixed in iOS 14.4 and iPadOS 14.4, a logic bug in WebKit that can be exploited by a malicious webpage - opened in, say, Safari - to execute arbitrary code.

The Sophos Rapid Response team has just written up a recent case study of a network attack that involved the account of a sysadmin who had died three months before. The account of the late employee wasn't shut down because various internal services had been configured to use it, presumably because the deceased had been involved in setting up those services in the first place.

Cybersecurity researchers on Tuesday disclosed a now-patched security flaw in TikTok that could have potentially enabled an attacker to build a database of the app's users and their associated phone numbers for future malicious activity. Although this flaw only impacts those users who have linked a phone number with their account or logged in with a phone number, a successful exploitation of the vulnerability could have resulted in data leakage and privacy violation, Check Point Research said in an analysis shared with The Hacker News.

A good place to start is to make sure that any major business data lakes follow all security best practices and remain operationally separate from one another. Doing so can limit data exfiltration if unauthorized users gain access due to a security breach.

Microsoft has released a new set of Intel microcode updates for Windows 10 20H2, 2004, 1909, and older versions to fix bugs impacting multiple Intel CPU families. Microcode updates are released by Intel after discovering bugs in their CPUs to allow OS vendors to patch the CPU behavior to address or at least partially mitigate the issues.

Mozilla this week announced further improvements to user privacy in Firefox, through the isolation of network connections and caches, thus essentially cracking down on supercookies. Specifically, Firefox 85 is arriving with an updated network architecture, where network connections and caches are isolated to the website being visited.

Apple on Tuesday dropped emergency security patches for its flagship iOS and iPad OS platforms alongside a warning that hackers may already be exploiting three different security vulnerabilities. Apple has promised additional details will be available soon.

A now-fixed Sudo vulnerability allowed any local user to gain root privileges on Unix-like operating systems without requiring authentication. Sudo is a Unix program that enables system admins to provide limited root privileges to normal users listed in the sudoers file, while at the same time keeping a log of their activity.

UPDATE. VIPGames, a free platform with a total of 56 available classic board and card games like Hearts, Crazy Eights, Euchre, Dominoes, Backgammon and others, has exposed the personal data of tens of thousands of users. In a statement, released after this original Threatpost report was published, VIPGames acknowledged "An issue that potentially exposed user profiles" but stated it wasn't aware any user data was leaked.

Cybersecurity companies Mimecast and Qualys have apparently been targeted by the threat actor that breached the systems of IT management solutions provider SolarWinds as part of a sophisticated supply chain attack. Some experts believed at the time that the incident may be related to the SolarWinds breach, and Mimecast on Tuesday confirmed that the theft of the certificate was indeed related to the SolarWinds software compromise and carried out by the same hackers.