Security News

It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
2022-10-11 22:35

Let's start off with what Redmond didn't fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August. A month later, Zero Day Initiative purchased the bugs and disclosed them to Microsoft.

Move over Patch Tuesday – it’s Ada Lovelace Day!
2022-10-11 19:22

The second Tuesday in October is also Ada Lovelace Day, celebrating Ada, Countess of Lovelace. Ada was a true pioneer not only of computing, but also of computer science, and gave her name to the programming language Ada.

Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws
2022-10-11 17:32

Today is Microsoft's October 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of 84 flaws. The above counts do not include twelve vulnerabilities fixed in Microsoft Edge on October 3rd. For information about the non-security Windows updates, you can read today's Windows 10 KB5018410 and KB5018419 updates and the Windows 11 KB5018427 update.

Critical vm2 sandbox escape flaw uncovered, patch ASAP! (CVE-2022-36067)
2022-10-10 09:34

Called SandBreak, this new vulnerability requires R&D leaders, AppSec engineers, and security professionals to ensure they immediately patch the vm2 sandbox if they use it in their applications. Vm2 is the most popular Javascript sandbox library, with around 17.5 million monthly downloads.

Week in review: 7 cybersecurity audiobooks to read, Patch Tuesday forecast
2022-10-09 08:00

How to start and grow a cybersecurity consultancyA cybersecurity industry veteran, Praveen Singh is the co-founder and Chief Information Security Advisor at CyberPWN Technologies, a digital defense consulting firm. CISA orders federal agencies to regularly perform IT asset discovery, vulnerability enumerationA new directive issued by the Cybersecurity and Infrastructure Security Agency is ordering US federal civilian agencies to perform regular asset discovery and vulnerability enumeration, to better account for and protect the devices that reside on their networks.

Fortinet warns admins to patch critical auth bypass bug immediately
2022-10-07 13:04

Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability."An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests," Fortinet explains in a customer support bulletin issued today.

October 2022 Patch Tuesday forecast: Looking for treats, not more tricks
2022-10-07 05:30

Looking way ahead in the forecast, Microsoft Server 2012/2012 R2 will go into ESU support following the October 2023 Patch Tuesday on October 11. October 2022 Patch Tuesday forecast Expect the trend to address more CVEs in the older operating systems to continue.

Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree
2022-10-04 00:31

The Cybersecurity and Infrastructure Security Agency late on Friday placed the flaw - tracked as CVE-2022-36804 - on its catalog of Known Exploited Vulnerabilities, effectively a must-patch list. CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.

Hackers Exploited Zero-Day RCE Vulnerability in Sophos Firewall — Patch Released
2022-09-24 05:03

Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product.The issue, tracked as CVE-2022-3236, impacts Sophos Firewall v19.0 MR1 and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution.

CISA orders agencies to patch vulnerability used in Stuxnet attacks
2022-09-16 16:29

The U.S. Cybersecurity and Infrastructure Security Agency has added half a dozen vulnerabilities to its catalog of Known Exploited Vulnerabilities and is ordering federal agencies to follow vendor's instructions to fix them. CISA is giving federal agencies until October 6th to patch security vulnerabilities that have been reported between 2010 and 2022.