Security News

June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh
2023-06-13 20:32

Microsoft has released security updates for 78 flaws for June's Patch Tuesday, and luckily for admins, none of these are under exploit. CVE-2023-29357, a Microsoft SharePoint Server Elevation of Privilege Vulnerability, is one that Redmond lists as "Exploitation more likely." This may be because it, when chained with other bugs, was used to bypass authentication during March's Pwn2Own contest.

June 2023 Patch Tuesday: Critical patches for Microsoft Windows, SharePoint, Exchange
2023-06-13 18:36

For June 2023 Patch Tuesday, Microsoft has delivered 70 new patches but, for once, none of the fixed vulnerabilities are currently exploited by attackers nor were publicly known before today! Microsoft has previously fixed CVE-2023-3079, a type confusion vulnerability in Chromium's V8 JavaScript engine, which was spotted being exploited by attackers to target Chrome users.

Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs
2023-06-13 17:28

Today is Microsoft's June 2023 Patch Tuesday, with security updates for 78 flaws, including 38 remote code execution vulnerabilities. While thirty-eight RCE bugs were fixed, Microsoft only listed six flaws as 'Critical,' including denial of service attacks, remote code execution, and privilege elevation.

Critical FortiOS and FortiProxy Vulnerability Likely Exploited - Patch Now!
2023-06-13 04:21

Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "Exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability, tracked as CVE-2023-27997, concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

It’s time to patch your MOVEit Transfer solution again!
2023-06-12 13:33

Progress Software customers who use the MOVEit Transfer managed file transfer solution might not want to hear it, but they should quickly patch their on-prem installations again: With the help of researchers from Huntress, the company has uncovered additional SQL injection vulnerabilities that could potentially be used by unauthenticated attackers to grab data from the web application's database. "The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company said, and confirmed that they've "Deployed a new patch to all MOVEit Cloud clusters to address the new vulnerabilities."

Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now!
2023-06-12 06:49

Fortinet has released patches to address a critical security flaw in its FortiGate firewalls that could be abused by a threat actor to achieve remote code execution.The vulnerability, tracked as CVE-2023-27997, is "Reachable pre-authentication, on every SSL VPN appliance," Lexfo Security researcher Charles Fol, who discovered and reported the flaw, said in a tweet over the weekend.

Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now
2023-06-11 15:43

Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices. While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023.

Week in review: 9 free cybersecurity whitepapers, Patch Tuesday forecast
2023-06-11 08:00

20 cybersecurity projects on GitHub you should check outOpen-source GitHub cybersecurity projects, developed and maintained by dedicated contributors, provide valuable tools, frameworks, and resources to enhance security practices. How to make developers love securityStories of the tension between developers and security teams are a longstanding feature of the software industry, stemming from the friction that security is often perceived to create.

New Critical MOVEit Transfer SQL Injection Vulnerabilities Discovered - Patch Now!
2023-06-10 08:50

Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database," the company said in an advisory released on June 9, 2023.

New MOVEit Transfer critical flaws found after security audit, patch now
2023-06-09 18:49

Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases. "An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.