Security News

Business software provider Zoho urged customers today to update their Desktop Central and Desktop Central MSP installation to the latest available version. Zoho's ManageEngine Desktop Central is a management platform that helps admins deploy patches and software automatically over the network and troubleshoot them remotely.

Free unofficial patches have been released to protect Windows users from a local privilege escalation zero-day vulnerability in the Mobile Device Management Service impacting Windows 10, version 1809 and later. While Microsoft has most likely also noticed Naceri's June disclosure, the company is yet to patch this LPE bug, exposing Windows 10 systems with the latest November 2021 security updates to attacks.

A sad-faced Microsoft engineer has had to reset the "Days since we last shot ourselves in the foot" counter at the company's HQ after a security update broke Microsoft Defender for Endpoint on Windows Server Core. The latter included the LTSC editions of Windows 10 as Microsoft pointed out, only devices with a Windows Server Core installation were affected.

Proof-of-concept exploit code has been released online over the weekend for an actively exploited high severity vulnerability impacting Microsoft Exchange servers.The security bug tracked as CVE-2021-42321 impacts on-premises Exchange Server 2016 and Exchange Server 2019 and was patched by Microsoft during this month's Patch Tuesday.

A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions. The bad news is that it impacts fully-updated devices running all Windows versions, including Windows 10, Windows 11, and Windows Server 2022.

The existence of a critical RCE vulnerability affecting certain versions of Palo Alto Networks firewalls using the GlobalProtect Portal VPN has been revealed by a cybersecurity company that exploited it during red team engagements for the last 12 months. The vulnerability has been patched, but since there are still over 10,000 vulnerable internet-facing installations out there, Randori will refrain from publishing technical details related to the vulnerability for a month, to give affected organizations enough time to patch.

The November 2021 Patch Tuesday updates from Microsoft and Adobe are out. The a critical patch to the Windows Servicing Stack, which is how Windows delivers and installs updates, especially to machines that are running versions of Windows no longer receiving regular support.

Microsoft reported a total of 55 vulnerabilities, six of which are rated critical, with the remaining 49 being rated important. Still, as always, this Patch Tuesday delivers high-priority fixes, the most urgent of which being the duo that are under attack.

Microsoft warned admins today to immediately patch a high severity Exchange Server vulnerability that may allow authenticated attackers to execute code remotely on vulnerable servers. The security flaw tracked as CVE-2021-42321 impacts Exchange Server 2016 and Exchange Server 2019, and it is caused by improper validation of cmdlet arguments according to Redmond's security advisory.

Today is Microsoft's November 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 55 flaws. The actively exploited vulnerabilities are for Microsoft Exchange and Excel, with the Exchange zero-day used as part of the Tianfu hacking contest.