Security News
Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability affecting the Microsoft Office file format. The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware.
With more than 3000 files totalling close to a million line of source code, Apache httpd is a large and capable server, with myriad combinations of modules and options making it both powerful and dangerous at the time. Apache just published an httpd update that fixes two CVE-numbered security bugs.
No, you're not seeing triple: On Friday, Apache released yet another patch - version 2.17 - for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. The latest bug isn't a variant of the Log4Shell remote-code execution bug that's plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service in Apache's initial patch.
The issues with Log4j continued to stack up as the Apache Software Foundation on Friday rolled out yet another patch for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service attack. Tracked as CVE-2021-45105, the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution, which, in turn, stemmed from an "Incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
The Apache Software Foundation has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "Incomplete in certain non-default configurations." The second vulnerability - tracked as CVE-2021-45046 - is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability that could be abused to infiltrate and take over systems.
CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information. Workspace ONE Unified Endpoint Management is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices.
US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days. "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.
US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days. The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency today.
VMware customers have probably had a busy week because more than 100 of the IT giant's products are impacted by the Log4j bug. Now they need to make another urgent patching effort, because the virty giant has identified another critical flaw in its products that it rates as requiring urgent attention.
Microsoft has rolled out Patch Tuesday updates to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads. It's worth noting that this is in addition to the 21 flaws resolved in the Chromium-based Microsoft Edge browser.