Security News

Right at the start of June 2023, well-known Russian cybersecurity outfit Kaspersky reported on a previously unknown strain of iPhone malware. Typically, iPhone malware that can compromise an entire device not only violates Apple's strictures about software downloads being restricted to the "Walled garden" of Apple's own App Store, but also bypasses Apple's much vaunted app separation, which is supposed to limit the reach of each app to a "Walled garden" of its own, containing only the data collected by that app itself.

Three of them were exploited by Russian APT28 cyberspies to hack into Roundcube email servers belonging to Ukrainian government organizations. While the KEV catalog's primary focus is alerting federal agencies of exploited vulnerabilities that must be patched as soon as possible, it is also highly advised that private companies worldwide prioritize addressing these bugs.

Annoyingly for ASUS customers, perhaps, two of the now-patched vulnerabilities have been around waiting to be patched for a long time. Why ASUS took so long to patch these particular bugs is not mentioned in the company's official advisory, but handling HTTP "Escape codes" is a fundamental part of any software that listens to and uses web URLs.

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.As the company explains, the newly released firmware contains fixes for nine security flaws, including high and critical ones.

In case you were wondering, there were 26 Remote Code Execution patches, including four dubbed "Critical", although three of those seem to related bugs that were found and fixed together in a single Windows component. RCE patches generally cause the most concern, because they deal with bugs that can, in theory at least, be exploited by attackers who don't yet have a foothold on your network, which means they represent possible ways of criminals breaking-and-entering in the first place.

Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023. It's worth noting that Microsoft also closed out 26 other flaws in Edge - all of them rooted in Chromium itself - since the release of May Patch Tuesday updates.

Microsoft has released security updates for 78 flaws for June's Patch Tuesday, and luckily for admins, none of these are under exploit. CVE-2023-29357, a Microsoft SharePoint Server Elevation of Privilege Vulnerability, is one that Redmond lists as "Exploitation more likely." This may be because it, when chained with other bugs, was used to bypass authentication during March's Pwn2Own contest.

For June 2023 Patch Tuesday, Microsoft has delivered 70 new patches but, for once, none of the fixed vulnerabilities are currently exploited by attackers nor were publicly known before today! Microsoft has previously fixed CVE-2023-3079, a type confusion vulnerability in Chromium's V8 JavaScript engine, which was spotted being exploited by attackers to target Chrome users.

Today is Microsoft's June 2023 Patch Tuesday, with security updates for 78 flaws, including 38 remote code execution vulnerabilities. While thirty-eight RCE bugs were fixed, Microsoft only listed six flaws as 'Critical,' including denial of service attacks, remote code execution, and privilege elevation.

Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "Exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability, tracked as CVE-2023-27997, concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.