Security News

Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April. Microsoft's write-up is noteworthy both for the severity of the bug and for flipping of the script - it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.

Exploit code has been released for a critical vulnerability affecting networking devices with Realtek's RTL819x system on a chip, which are estimated to be in the millions. The flaw is identified as CVE-2022-27255 and a remote attacker could exploit it to compromise vulnerable devices from various original equipment manufacturers, ranging from routers and access points to signal repeaters.

Given the apparent speed and ease with which Zoom was able to emit a patch for the bug, dubbed CVE-2022-28756, you're probably wondering why Wardle didn't tell Zoom about the bug in advance, setting the day of his speech as the deadline for revealing the details. That would have given Zoom time to push out the update to its many Mac users, thus eliminating the gap between Wardle explaining to the world how to abuse the bug, and the patching of the bug.

Only 55 percent of companies have any insurance at all. "The situation is particularly acute for uninsured small and mid-sized businesses, who must weigh the soaring costs of cyber insurance premiums against the very real risk of being unable to recover from a successful attack."

Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. Even more concerningly, an adversary with any level of access within the host network could daisy-chain three of the flaws to bypass authentication protections and achieve remote code execution with the highest privileges.

Microsoft is urging users to patch a zero-day vulnerability dubbed Dogwalk that is actively being exploited in the wild. The actively exploited Dogwalk bug was first reported to Microsoft in January 2020 by researcher Imre Rad. However, it wasn't until a separate researchers began tracking the exploitation of a flaw dubbed Follina that the Dogwalk bug was rediscovered.

Proof-of-concept exploit code is now publicly available online for a critical authentication bypass security flaw in multiple VMware products that enables attackers to gain admin privileges.A week ago, VMware released updates to address the vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

The US government is warning of critical vulnerabilities in its Emergency Alert System systems that, if exploited, could enable intruders to send fake alerts out over television, radio, and cable networks. The system is designed to ensure that the president can address US citizens within 10 minutes during a national emergency and requires that radio and TV broadcasters, cable TV, wireless cable systems, satellite, and wireline operators ensure that can happen.

Cisco has revealed four of its small business router ranges have critical flaws - for the second time in 2022 alone. A Wednesday advisory warns owners of the RV160, RV260, RV340, and RV345 Series Routers that the vulnerabilities could allow "An unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on an affected device."

As many as 29 different router models from DrayTek have been identified as affected by a new critical, unauthenticated, remote code execution vulnerability that, if successfully exploited, could lead to full compromise of the device and unauthorized access to the broader network. Over 200,000 devices from the Taiwanese manufacturer are said to have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited.