Security News

Apple has launched the first Rapid Security Response patches for iOS 16.4.1 and macOS 13.3.1 devices, with some users having issues installing them on their iPhones. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates.

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. "Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel said in an advisory on April 25, 2023.

Hats off to PaperCut in this case, because the company really is trying to make sure that all its customers know about the importance of two vulnerabilities in its products that it patched last month, to the point that it's put a green-striped shield at the top of its main web page that says, "Urgent security message for all NG/MF customers." We've seen companies that have admitted to unpatched zero-day vulnerabilities and data breaches in a less obvious fashion than this, which is why we're saying "Good job" to the Papercut team for what cybersecurity jargon would probably praise with the orotund phrase an abundance of caution.

Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers. The two security flaws allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don't require user interaction.

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director, which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.

Google on Tuesday rolled out emergency fixes to address another actively exploited high-severity zero-day flaw in its Chrome web browser. The flaw, tracked as CVE-2023-2136, is described as a case of integer overflow in Skia, an open source 2D graphics library.

A security researcher has released, yet another sandbox escape proof of concept exploit that makes it possible to execute unsafe code on a host running the VM2 sandbox. VM2 is a specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host's system resources or external data.

An Australian military helicopter crash was reportedly caused by failure to apply a software patch, with a heft side serving of pilot error. The helicopter in question is an MRH-90 Taipan operated by the Australian Army and was engaged in what's been described as "a routine counter-terrorism training activity" on March 23rd when it ditched just off a beach in the State of New South Wales.

Two Critical bugs in particular grabbed our interest. The last two bugs that intrigued us were CVE-2023-28249 and CVE-2023-28269, both listed under the headline Windows Boot Manager Security Feature Bypass Vulnerability.

Security researchers and experts warn of a critical vulnerability in the Windows Message Queuing middleware service patched by Microsoft during this month's Patch Tuesday and exposing hundreds of thousands of systems to attacks. MSMQ is available on all Windows operating systems as an optional component that provides apps with network communication capabilities with "Guaranteed message delivery," and it can be enabled via PowerShell or the Control Panel.