Security News

Today is Microsoft's May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws. Today's Patch Tuesday is one of the smallest in terms of resolved vulnerabilities, with only thirty-eight vulnerabilities fixed, not including eleven Microsoft Edge vulnerabilities fixed last week, on May 5th. Three zero-days fixed.

Apple starts delivering smaller security updatesThe security updating of iPhones, iPads and Macs has entered a new stage: Apple has, for the first time, released a Rapid Security Response to owners of the devices running the latest versions of its operating systems. Fake ChatGPT desktop client steals Chrome login dataResearchers are warning about an infostealer mimicking a ChatGPT Windows desktop client that's capable of copying saved credentials from the Google Chrome login data folder.

Microsoft reiterated in a blog that Windows 10 22H2 is the final feature version of Windows 10 and that all editions will receive security updates through October 14, 2025. They've since followed up with Extended Stable channel update 112.0.5615.179 for Windows and Mac, as well as a Stable Channel Update for Desktop 113 for Windows, Mac and Linux.

Apple on Monday pushed to some iPhones and Macs its first-ever rapid security fix. This type of patch is supposed to be downloaded and applied automatically and seamlessly by the operating system to immediately protect devices from exploitation, thus avoiding the usual system update cycle that users may put off or miss and thus leave their stuff vulnerable to attack.

We've written about the uncertainty of Apple's security update process many times before. Rapid Security Responses are a new type of software release for iPhone, iPad, and Mac.

Apple has launched the first Rapid Security Response patches for iOS 16.4.1 and macOS 13.3.1 devices, with some users having issues installing them on their iPhones. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates.

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. "Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel said in an advisory on April 25, 2023.

Hats off to PaperCut in this case, because the company really is trying to make sure that all its customers know about the importance of two vulnerabilities in its products that it patched last month, to the point that it's put a green-striped shield at the top of its main web page that says, "Urgent security message for all NG/MF customers." We've seen companies that have admitted to unpatched zero-day vulnerabilities and data breaches in a less obvious fashion than this, which is why we're saying "Good job" to the Papercut team for what cybersecurity jargon would probably praise with the orotund phrase an abundance of caution.

Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers. The two security flaws allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don't require user interaction.

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director, which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.