Security News > 2022

Microsoft on Monday released details about a bug in macOS that Apple fixed last month - named "Powerdir" - that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of whatever's displayed on your screen. Introduced in 2012 in macOS Mountain Lion, TCC helps users to configure their apps' privacy settings by requiring that all apps get user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, calendar and network volumes, as well as before the apps are allowed to access the device's camera, microphone or location.

The first Patch Tuesday of 2022 is upon us, and Microsoft has delivered patches for 96 CVE-numbered vulnerabilities, including a wormable RCE flaw in Windows Server. Among the publicly known flaws are a "Critical" RCE in curl and "Important" RCE in libarchive open source libraries, which have now been "Fixed" in Windows 10, 11 and Server with the inclusion of the most recent versions of the libraries.

The U.S. Cybersecurity and Infrastructure Security Agency has updated its list of known exploited vulnerabilities with 15 new security issues that serve as a frequent attack vector against federal enterprises. In combination with other factors such as a threat actor's foothold on the network, old and unpatched devices, and/or device exposure on the public internet, the vulnerabilities are a serious security gap and an opportunity for adversaries.

If you were a user of either of those projects, and if you are inclined to accept any and all updates to your source code automatically without any sort of code review or testing. We've written about security holes suddenly showing up in numerous coding communities, including PHP programmers, Pythonistas, Ruby users, and NPM fans.

Last year brought forth much more than a Ben Affleck-Jennifer Lopez reunion - analysts found the number of exploitable WordPress plugin vulnerabilities exploded. Researchers from RiskBased Security reported they found the number of WordPress Plugin vulnerabilities rose by triple digits in 2021.

The new update is now available for Windows 10 version 21H2, version 21H1, and version 20H2 As per the official release notes, Microsoft has published two main cumulative updates for Windows 10 - KB5009543 and KB5009545. This month's cumulative updates include security fixes for November 2021 Update, May 2021 Update, October 2020 Update.

During this year's first Patch Tuesday, Microsoft has addressed a critical severity Office vulnerability that can let attackers execute malicious code remotely on vulnerable systems. The security flaw, tracked as CVE-2022-21840, is a remote code execution bug that attackers can exploit with no privileges on the targeted devices as part of low complexity attacks that require user interaction.

Microsoft has released the Windows 11 KB5009566 cumulative update with security updates, performance improvements, and fixes for known bugs. KB5009566 is a mandatory cumulative update as it contains the January 2022 Patch Tuesday security updates for vulnerabilities discovered in previous months.

Today is Microsoft's January 2022 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 97 flaws. [...]

A new variant of the RedLine info-stealer is distributed via emails using a fake COVID-19 Omicron stat counter app as a lure. RedLine is a widespread commodity malware sold to cyber-criminals for a couple of hundred USD. It supplies dark web markets with over half of the stolen user credentials sold to other threat actors.