Security News

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

Facebook last week rushed to patch a bug that exposed the accounts of individuals who manage pages, after the weakness was exploited against several high-profile pages. If a Facebook page's administrator edits a post, users can keep track of the modifications with the "View edit history" feature.

The January 2020 Patch Tuesday will provide us with the last free update of Windows 7 and Server 2008/2008 R2. We've talked about it for the last several months and it is finally here. Microsoft may have 'saved up' other updates for January Patch Tuesday, but I suspect not.

Cisco has released a fresh batch of security updates for its networking and comms gear lines. The high-priority patch this month is the fix for CVE-2019-16009, a cross-site request forgery, in the web UI of Cisco IOS and Cisco IOS XE that can be exploited to steal credentials from users via malicious links.

Google's Project Zero bug-hunting team has tweaked its 90-day responsible disclosure policy to help improve the quality and adoption of vendor patches. The vendor then has 90 days to fix the bug before Project Zero lifts the veil.

The more notable part of the announcement is Project Zero's decision to wait to disclose bug details until 90 days elapses, even if a patch becomes available before then. "For the last five years, the team has used its vulnerability disclosure policy to focus on one primary goal: Faster patch development," explained Willis, in a posting on Tuesday on the policy changes.

Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products. As a result of the amended policy, vulnerability details will remain undisclosed for a longer period of time, giving developers enough time to fix their code, and netizens to test and install the patches, before Googlers make technical details and proof-of-concept exploits public for all to see.

On Saturday, Troy Mursch of Chicago-based threat intelligence firm Bad Packets reported that his internet scans have identified 3,825 Pulse Secure VPN servers that remain at risk because they have not been updated with a patch to fix a critical vulnerability, designated CVE-2019-1150. The patch for Pulse Secure VPN servers - as with critical patches for VPN servers built by Fortinet and Palo Alto that have also required updates to fix serious flaws since last year - has been available for months.

Four antivirus providers have released patches for an issue that was initially detailed by a researcher more than 10 years ago. Reported by Thierry Zoller in 2009, the bug resides in an attacker's ability to craft compressed archives that, although accessible to a user, cannot be scanned by the antivirus product.

Unauthorised users able to perform 'arbitrary code execution' A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and...