Security News

January Patch Tuesday tackles 50 bugs, with eight rated critical, all as it pushes out its last regular Windows 7 patches. A major crypto-spoofing bug impacting Windows 10 users has been fixed as part of Microsoft's January Patch Tuesday security bulletin.

As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications. The flaw only affects newer versions of Windows and Windows Server, and is found in the Windows CryptoAPI, which validates Elliptic Curve Cryptography certificates.

The U.S. National Security Agency has informed Microsoft that Windows is affected by a potentially serious spoofing vulnerability that could allow hackers to make a malicious file appear to come from a trusted source or conduct man-in-the-middle attacks. The NSA reached out to reporters to inform them about the vulnerability before Microsoft released its patches.

With no bug fixes or patches available for Windows 7 after Jan. 14, Veritas CIO John Abel offers tips to safeguard the PCs in your organization.

Microsoft on Tuesday will offer its final, free updates and security fixes for its Windows 7 operating system as well as Office 2010. "After 10 years, support for Windows 7 is coming to an end on Jan. 14 in a planned activation to transition users towards Windows 10," a Microsoft spokeswoman tells Information Security Media Group.

Following reports about text transcriptions of live Skype calls being vetted by humans, meaning that sensitive conversations could have been bugged, Microsoft says it's moved its human grading of Cortana and Skype recordings into "Secure facilities", none of which are in China. On Friday, The Guardian published a report after talking to a former Microsoft contractor who lived in Beijing and transcribed thousands of audio recordings from Skype and the company's Cortana voice assistant - all with little cybersecurity protection, either from hackers or from potential interception by the government.

Zimperium, the global leader in mobile threat defense, announced it has integrated with Microsoft Defender Advanced Threat Protection endpoint detection and response. Advanced threat forensics - Microsoft Defender ATP now has threat forensics including attacker IP/MAC, WiFi network details, malicious processes and apps, and reasons for device compromise or jailbreak;.

Last year, Microsoft did roll out phishing detection to Microsoft Forms, an online product that lets people create surveys, quizzes, and polls. "Contrary to Avanan's marketing claims, Microsoft does not automatically trust any domain, including the Office and Sway domains. All links are analyzed, assessed and compared to known attack vectors, including local domains. Additionally, Microsoft performs a complete assessment of Sway content, including the scanning of links on the pages."

PacketViper, the cyber deception leader for automated threat detection, prevention and response, announced the general availability of Deception360 for Microsoft Azure. Deception360 for Azure cloud helps customers leverage deception to reduce dwell time and respond to threats within the Azure cloud environment while also preventing attackers from getting in.

An information disclosure vulnerability affecting Microsoft Access can cause sensitive data from system memory to be unintentionally saved in database files, email security company Mimecast revealed on Tuesday. The vulnerability, dubbed "MDB Leaker" by Mimecast, is related to "The improper management of system memory by an application." It can cause the content of uninitialized memory elements to be saved into Microsoft Access MDB files.