Security News

New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw
2021-12-28 19:33

A short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware. "The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report published Tuesday.

Week in review: Log4j new vulnerabilities, Microsoft patch bypass, 2022 e-commerce threat trends
2021-12-26 09:00

The Log4j saga: New vulnerabilities and attack vectors discoveredThe Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell was fixed by releasing Log4j v2.15.0. Cyber insurance trends: Insurers and insurees must adapt equally to growing threatsIn this interview with Help Net Security, Avi Bashan, CTO at Kovrr, talks about cyber insurance trends and how the growing threat landscape impacted both insurers and insurees.

Attackers bypass Microsoft patch to deliver Formbook malware
2021-12-22 09:19

Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability affecting the Microsoft Office file format. The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware.

Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!
2021-12-21 19:57

With more than 3000 files totalling close to a million line of source code, Apache httpd is a large and capable server, with myriad combinations of modules and options making it both powerful and dangerous at the time. Apache just published an httpd update that fixes two CVE-numbered security bugs.

Third Log4J Bug Can Trigger DoS; Apache Issues Patch
2021-12-20 16:01

No, you're not seeing triple: On Friday, Apache released yet another patch - version 2.17 - for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. The latest bug isn't a variant of the Log4Shell remote-code execution bug that's plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service in Apache's initial patch.

Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
2021-12-19 21:02

The issues with Log4j continued to stack up as the Apache Software Foundation on Friday rolled out yet another patch for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service attack. Tracked as CVE-2021-45105, the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution, which, in turn, stemmed from an "Incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released
2021-12-18 05:56

The Apache Software Foundation has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "Incomplete in certain non-default configurations." The second vulnerability - tracked as CVE-2021-45046 - is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability that could be abused to infiltrate and take over systems.

CISA urges VMware admins to patch critical flaw in Workspace ONE UEM
2021-12-17 18:32

CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information. Workspace ONE Unified Endpoint Management is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices.

US orders federal govt agencies to patch critical Log4j bug
2021-12-17 17:35

US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days. "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.

US emergency directive orders govt agencies to patch Log4j bug
2021-12-17 17:35

US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days. The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency today.