Security News

Some signed third-party bootloaders for the Unified Extensible Firmware Interface could allow attackers to execute unauthorized code in an early stage of the boot process, before the operating system loads. Eclypsium security researchers Mickey Shkatov and Jesse Michael discovered vulnerabilities affecting UEFI bootloaders from third-party vendors that could be exploited to bypass the Secure Boot feature on Windows machines.

Microsoft appears to have beat Google on the bug bounty front, with $13.7 million in rewards spread out over 335 researchers. The biggest prize awarded by Microsoft was $200,000 under the Hyper-V Bounty Program and the average award was $12,000.

Microsoft is investigating customer reports of a known issue causing Outlook for Microsoft 365 to freeze and crash right after opening. According to a new support document published by Redmond on Thursday, these Outlook desktop client crashes will be automatically logged and can be confirmed by checking the Windows Event Viewer Application Log for Event 1000 or Event 1001.

Microsoft has pulled the Microsoft 365 version 2206 update after users report their Office applications are crashing when viewing a contact card or hovering over a user's name or photo. "Just upgraded to Office 2206 in Monthly Enterprise Channel and whenever you move the cursor over the picture or icon of the sender of an email, outlook immediately crashes," explained a Microsoft 365 on the Microsoft Answers forum.

Instead of thinking about lists of devices, databases, servers and other assets, you can get better defenses by looking at your inventory from the outside in, the way an attacker would, thinking about what security weaknesses your assets have, what they're connected to and what would be exposed if they were compromised. "We need to help security teams and defenders of all kinds change the game in how they think about what attackers are doing. How do we think the way that attackers do, and how can we look at our own organizations the way that an attacker would see them?".

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. It's worth noting that the 121 security flaws are in addition to 25 shortcomings the tech giant addressed in its Chromium-based Edge browser late last month and the previous week.

A new large-scale phishing campaign targeting Coinbase, MetaMask, Kraken, and Gemini users is abusing Google Sites and Microsoft Azure Web App to create fraudulent sites. Posting links to phishing pages on various legitimate sites aims to increase traffic and boost the malicious site's search engine rankings.

An ongoing outage affects multiple Microsoft 365 services, blocking users from connecting to Exchange Online, Microsoft Teams, Outlook desktop clients, and OneDrive for Business. While Microsoft says that this incident has only affected customers in the EMEA region, users have been reporting server connection issues and sign-in failures worldwide.

Microsoft is urging users to patch a zero-day vulnerability dubbed Dogwalk that is actively being exploited in the wild. The actively exploited Dogwalk bug was first reported to Microsoft in January 2020 by researcher Imre Rad. However, it wasn't until a separate researchers began tracking the exploitation of a flaw dubbed Follina that the Dogwalk bug was rediscovered.

Of the 121 Microsoft bugs, 17 are considered critical. First, CVE-2022-34713, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool that's under active attack.