Security News

November 2022 Patch Tuesday forecast: Wrapping up loose ends?
2022-11-04 06:25

Microsoft turned around and released a series of non-security updates that fixed some discovered connections issues - forcing many to conduct another unplanned patch cycle. The initial concern was that CVE-2022-3602 could lead to another Heartbleed situation which did result in widespread exploitation in 2014 of CVE-2014-0160 in OpenSSL. The good news is these recent CVEs are much harder to exploit, but you should update to the latest version of OpenSSL in your environment during your next patch cycle to protect yourself from the sure-to-come attacks.

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway!
2022-11-01 20:24

OpenSSL 1.1.1 goes to version 1.1.1s, and patches one listed security-related bug, but this bug doesn't have a security rating or an official CVE number. OpenSSL 3.0 goes to version 3.0.7, and patches not one but two CVE-numbered security bugs that are official designated at HIGH severity.

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities
2022-11-01 16:26

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service and remote code execution. It's worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability
2022-10-31 12:00

An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web protections. The fix, released by 0patch, arrives weeks after HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employ a JavaScript file to proliferate the file-encrypting malware.

ConnectWise backup solutions open to RCE, patch ASAP!
2022-10-31 11:11

ConnectWise has fixed a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager that could allow attackers to achieve remote code exection or access confidential data. The company advises users to patch as soon as possible, as the vulnerability is "Either being targeted or have a higher risk of being targeted by exploits in the wild."

Actively exploited Windows MoTW zero-day gets unofficial patch
2022-10-30 14:05

A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings in Windows 10 and Windows 11. What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched.

Exploit released for critical VMware RCE vulnerability, patch now
2022-10-28 15:34

Proof-of-concept exploit code is now available for a pre-authentication remote code execution vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances. The flaw is in the XStream open-source library used by the two VMware products and was assigned an almost maximum CVSSv3 base score of 9.8/10 by VMware.

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability
2022-10-28 10:40

Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine.

VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform
2022-10-26 04:24

VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product. "Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance," the company said in an advisory.

Cisco warns admins to patch AnyConnect flaws exploited in attacks
2022-10-25 20:55

Cisco warned customers today that two security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows are being exploited in the wild. [...]