Security News

Automattic, the company behind the open-source WordPress content management system, has started force installing a security patch on millions of websites today to address a critical vulnerability in the Jetpack WordPress plug-in. According to the official WordPress plug-in repository, the plug-in is maintained by Automattic, and it now has over 5 million active installations.

Today, the U.S. Cybersecurity & Infrastructure Security Agency ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks. iPhone 6s, iPhone 7, iPhone SE, iPad Air 2, iPad mini, iPod touch, and iPhone 8 and later.

Apple have just introduced "Rapid Security Responses." People are reporting that they take seconds to download and require one super-quick reboot. These new Rapid Security Responses were only available for the very latest version of macOS and the latest iOS/iPadOS, which left users of older Macs and iDevices, as well as owners of Apple Watches and Apple TVs, in the dark.

An evaluation that begins with a focus on specific key criteria - essential attributes and functionality likely to be offered by many vendors but not all - will allow IT teams to narrow down their options as they work to identify the best solution for their organization's patch management needs. In Linux operating systems, the platform must determine whether a patch can be applied or if an existing patch must be removed before the new patch is applied, at which point the original patch can be reinstalled.

If a miscreant carefully crafted a mail with that sound path set to a remote SMB server, when Outlook fetched and processed the message, and automatically followed the path to the file server, it would hand over the user's Net-NTLMv2 hash in an attempt to log in. The patch from a couple of months ago made Outlook use the Windows function MapUrlToZone to inspect where a notification sound path was really pointing, and if it was out to the internet, it would be ignored and the default sound would play.

Although you'll get the patch if you perform a full Patch Tuesday download and let the update complete. The full patch involves updating Microsoft's bootup code in your hard disk's startup partition, and then telling your motherboard not to trust the old, insecure bootup code any more.

Among the vulnerabilities fixed by Microsoft on May 2023 Patch Tuesday is CVE-2023-29324, a bug in the Windows MSHTML platform that Microsoft rates as "Important." Akamai's research team and Ben Barnea, the researcher who's credited with finding the flaw, disagree with that assessment, because "The new vulnerability re-enables the exploitation of a critical vulnerability that was seen in the wild and used by APT operators."

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.

Today is Microsoft's May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws. Today's Patch Tuesday is one of the smallest in terms of resolved vulnerabilities, with only thirty-eight vulnerabilities fixed, not including eleven Microsoft Edge vulnerabilities fixed last week, on May 5th. Three zero-days fixed.

Apple starts delivering smaller security updatesThe security updating of iPhones, iPads and Macs has entered a new stage: Apple has, for the first time, released a Rapid Security Response to owners of the devices running the latest versions of its operating systems. Fake ChatGPT desktop client steals Chrome login dataResearchers are warning about an infostealer mimicking a ChatGPT Windows desktop client that's capable of copying saved credentials from the Google Chrome login data folder.