Security News

Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems. JFrog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.

A short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware. "The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report published Tuesday.

Blackmagic Software has recently addressed two security vulnerabilities in the highly popular DaVinci Resolve software that would allow attackers to gain code execution on unpatched systems. As its developer Blackmagic claims, DaVinci Resolve is "Hollywood's most popular solution for editing" for Mac, Windows, and Linux.

Don't duck at the latest mention of Apache: Two critical bugs in its HTTP web server - HTTPD - need to be patched pronto, lest they lead to attackers triggering denial of service or bypassing your security policies. Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.

With more than 3000 files totalling close to a million line of source code, Apache httpd is a large and capable server, with myriad combinations of modules and options making it both powerful and dangerous at the time. Apache just published an httpd update that fixes two CVE-numbered security bugs.

Two critical and high severity security vulnerabilities in the highly popular "All in One" SEO WordPress plugin exposed over 3 million websites to takeover attacks. The security flaws discovered and reported by Automattic security researcher Marc Montpas are a critical Authenticated Privilege Escalation bug and a high severity Authenticated SQL Injection.

Let's examine some of the big challenges in OT security, and how zero trust can fix them. Zero trust is a security framework that assumes every user or device is a potential threat.

CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information. Workspace ONE Unified Endpoint Management is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices.

US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days. "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.

VMware customers have probably had a busy week because more than 100 of the IT giant's products are impacted by the Log4j bug. Now they need to make another urgent patching effort, because the virty giant has identified another critical flaw in its products that it rates as requiring urgent attention.