Security News

The Cybersecurity and Infrastructure Security Agency has added ten new security bugs to its list of actively exploited vulnerabilities, including a high severity local privilege escalation bug in the Windows Common Log File System Driver. According to a binding operational directive issued in November, all Federal Civilian Executive Branch Agencies agencies must secure their systems against this security flaw after being added to CISA's catalog of Known Exploited Vulnerabilities.

A proof-of-concept exploit has been released online for the VMware CVE-2022-22954 remote code execution vulnerability, already being used in active attacks that infect servers with coin miners. The vulnerability is a critical remote code execution impacting VMware Workspace ONE Access and VMware Identity Manager, two widely used software products.

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied. Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.

CISA adds 8 known security vulnerabilities as priorities to patch. The Cybersecurity & Infrastructure Security Agency, or CISA, maintains a database of known security vulnerabilities.

Microsoft's massive April Patch Tuesday includes one bug that has already been exploited in the wild and a second that has been publicly disclosed. While its severity score didn't rank as high as some on today's list - it received a 7.8 CVSS score aka "Important" - Microsoft stated its attack complexity low.

Today is Microsoft's April 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 119 flaws. [...]

Log4Shell exploitation: Which applications may be targeted next?Spring4Shell has dominated the information security news these last six days, but Log4Shell continues to demand attention and action from enterprise defenders as diverse vulnerable applications are being targeted in attacks in the wild. Security flaws found in 82% of public sector software applicationsVeracode has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors.

Microsoft announced that Windows Autopatch, a service designed to automatically keep Windows and Office software up to date, will be released in July 2022. Windows Autopatch is a new managed service offered for free to all Microsoft customers who already have a Windows 10/11 Enterprise E3 or above license.

March Patch Tuesday releases followed in the footsteps of February with low numbers of CVEs reported and resolved, and all updates rated as important except one critical update for Microsoft Exchange Server. Could April Patch Tuesday provide the deluge of critical updates we were expecting last month?

If you go off-market, things can get much more dangerous, not least because there are many unofficial Android app stores out there where pretty much anything goes, including some app repositories that deliberately pitch themselves as a handy place to get at software that Google "Doesn't want you to have". As an aside, you might think that no one would deliberately seek out apps that clearly wouldn't be permitted on Google Play, or that have already been rejected by Google.