Security News

Let's start off with what Redmond didn't fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August. A month later, Zero Day Initiative purchased the bugs and disclosed them to Microsoft.

The second Tuesday in October is also Ada Lovelace Day, celebrating Ada, Countess of Lovelace. Ada was a true pioneer not only of computing, but also of computer science, and gave her name to the programming language Ada.

Today is Microsoft's October 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of 84 flaws. The above counts do not include twelve vulnerabilities fixed in Microsoft Edge on October 3rd. For information about the non-security Windows updates, you can read today's Windows 10 KB5018410 and KB5018419 updates and the Windows 11 KB5018427 update.

Called SandBreak, this new vulnerability requires R&D leaders, AppSec engineers, and security professionals to ensure they immediately patch the vm2 sandbox if they use it in their applications. Vm2 is the most popular Javascript sandbox library, with around 17.5 million monthly downloads.

How to start and grow a cybersecurity consultancyA cybersecurity industry veteran, Praveen Singh is the co-founder and Chief Information Security Advisor at CyberPWN Technologies, a digital defense consulting firm. CISA orders federal agencies to regularly perform IT asset discovery, vulnerability enumerationA new directive issued by the Cybersecurity and Infrastructure Security Agency is ordering US federal civilian agencies to perform regular asset discovery and vulnerability enumeration, to better account for and protect the devices that reside on their networks.

Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability."An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests," Fortinet explains in a customer support bulletin issued today.

Looking way ahead in the forecast, Microsoft Server 2012/2012 R2 will go into ESU support following the October 2023 Patch Tuesday on October 11. October 2022 Patch Tuesday forecast Expect the trend to address more CVEs in the older operating systems to continue.

The Cybersecurity and Infrastructure Security Agency late on Friday placed the flaw - tracked as CVE-2022-36804 - on its catalog of Known Exploited Vulnerabilities, effectively a must-patch list. CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.

Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product.The issue, tracked as CVE-2022-3236, impacts Sophos Firewall v19.0 MR1 and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution.

The U.S. Cybersecurity and Infrastructure Security Agency has added half a dozen vulnerabilities to its catalog of Known Exploited Vulnerabilities and is ordering federal agencies to follow vendor's instructions to fix them. CISA is giving federal agencies until October 6th to patch security vulnerabilities that have been reported between 2010 and 2022.