Security News

Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows that allows hackers to remotely steal hashed passwords by simply receiving an email. The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows.

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.

Today, the U.S. Cybersecurity & Infrastructure Security Agency announced a new pilot program to help critical infrastructure entities protect their information systems from ransomware attacks. "Through the Ransomware Vulnerability Warning Pilot, which started on January 30, 2023, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors," the cybersecurity agency said.

Today, the U.S. Cybersecurity & Infrastructure Security Agency announced a new pilot program to help critical infrastructure entities protect their information systems from ransomware attacks. "Recognizing the persistent threat posed by ransomware attacks to organizations of all sizes, the Cybersecurity and Infrastructure Security Agency announces today the establishment of the Ransomware Vulnerability Warning Pilot," the cybersecurity agency said.

CISA has added a critical severity vulnerability in VMware's Cloud Foundation to its catalog of security flaws exploited in the wild. The flaw was found in the XStream open-source library used by vulnerable VMware products and has been assigned an almost maximum severity score of 9.8/10 by VMware.

Fortinet has patched 15 vulnerabilities in a variety of its products, including CVE-2023-25610, a critical flaw affecting devices running FortiOS and FortiProxy.Discovered by Fortinet infosec engineer Kai Ni, CVE-2023-25610 is a buffer underwrite vulnerability found in the FortiOS and FortiProxy administrative interface.

Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. "A buffer underwrite vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests," Fortinet said in an advisory.

Fortinet has disclosed a "Critical" vulnerability impacting FortiOS and FortiProxy, which allows an unauthenticated attacker to execute arbitrary code or perform denial of service on the GUI of vulnerable devices using specially crafted requests. FortiOS version 7.2.0 through 7.2.3.

Google has released March 2023 security updates for Android, fixing a total of 60 flaws, and among them, two critical-severity remote code execution vulnerabilities impacting Android Systems running versions 11, 12, and 13. "The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed," reads the security bulletin.

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors. "The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News.