Security News

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild. Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.

March 2022 Patch Tuesday forecast: Pressure mounts to resolve vulnerabilitiesFebruary 2022 Patch Tuesday was an anomaly. How to empower IT Sec and Ops teams to anticipate and resolve IT problemsEvery IT system administrator knows the misery of facing a problem for which the root cause requires hours to unearth, all the while part of the IT infrastructure entrusted to them is unavailable to users, open to attack, or not compliant with mandatory security standards.

The U.S. Cybersecurity and Infrastructure Security Agency has added 95 vulnerabilities to its list of actively exploited security issues, the largest number since issuing the binding operational directive last year. As per BOD 22-01 for reducing the risk from known exploited vulnerabilities, federal agencies are given a little over three weeks to patch the newly added 95 security flaws, the due date for most of them being March 24th. For 27 of the vulnerabilities, there is a shorter deadline for patching, March 17th, mainly because they are more recent and affect systems that give access to sensitive information or allow moving to devices on the network.

Not only did we see record low numbers of vulnerabilities addressed across all of Microsoft's operating systems, but we also saw for the first time in my experience that all the updates were only rated Important. After the reissuing of updates in January, we expected fewer CVEs would be addressed as Microsoft focused on stable updates in February, but this was unprecedented.

The recently identified vulnerability in the Log4j Java logging package has created headaches for security professionals around the world. Log4j vulnerability reduced security professionals' trust in open-source tools.

Some of the world's most popular communication apps are using an open-source library riddled with newfound security holes. The library, PJSIP - an open-source multimedia communication library - is used by Asterisk.

WhatsApp and BlueJeans are just two of the world's most popular communication apps that are using an open-source library riddled with newfound security holes. On Monday, devops platform provider JFrog Security disclosed five memory-corruption vulnerabilities in PJSIP, which supplies an API that can be used by IP telephony applications such as voice-over-IP phones and conference apps.

Rather it's more likely to be used very selectively, at least on those that haven't patched. The advisory [PDF] recommends only one type of password, Cisco's Type 8, which uses either Password-Based Key Derivation Function version 2, SHA-256, an 80-bit salt - one NSA wit described it as "What Type 4 was meant to be," in the document.

WordPress has taken the rare step of force-updating the UpdraftPlus plugin on all sites to fix a high-severity vulnerability allowing website subscribers to download the latest database backups, which often contain credentials and PII. Three million sites use the popular WordPress plugin, so the potential for exploitation was substantial, affecting a significant share of the internet, including large platforms. The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2, and the developers fixed it with the release of 1.22.3 or 2.22.3 for the Premium version.

Adobe has released an out-of-band security update for Adobe Commerce and Magento Open Source to address active exploitation of a known vulnerability, and Google has an emergency issue, too. "Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants," the Silicon Valley stalwart said.