Security News

A report released Wednesday by cybersecurity firm Trustwave looks at why security flaws often go unpatched and how organizations can beef up their patch management. The report found that despite the high severity of some of the security flaws that popped up, more than 50% of the servers were unprotected weeks and even months after an update had been released.

Google on Friday rolled out an emergency security patch to its Chrome web browser to address a security flaw that's known to have an exploit in the wild. Tracked as CVE-2021-37973, the vulnerability has been described as use after free in Portals API, a web page navigation system that enables a page to show another page as an inset and "Perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document."

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Apple's macOS Finder application is currently vulnerable to a remote code execution bug, despite an apparent attempt to fix the problem. A security advisory published Tuesday by the SSD Secure Disclosure program, on behalf of researcher Park Minchan, explains that macOS Finder - which provides a visual interface for interacting with files - is vulnerable to documents with the.

Threat actors have already started targeting Internet-exposed VMware vCenter servers unpatched against a critical arbitrary file upload vulnerability patched yesterday that could lead to remote code execution. While exploit code is not yet publicly available, ongoing scanning activity was already spotted by threat intelligence company Bad Packets 12 hours ago after some of its VMware honeypots began recording attackers probing for the presence of the critical bug.

Generally speaking, file upload vulnerabilities happen when an untrusted user is allowed to upload files of their own choosing. Those untrusted files end up saved in a location where the server will subsequently treat them as trusted files instead, perhaps executing them as scripts or programs, or using them to reconfigure security settings on the server.

VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The worst of the bunch is CVE-2021-22005, described as "An arbitrary file upload vulnerability in the Analytics service" that's part of vCenter Server.

Microsoft's Patch Tuesday update last week was meant to fix print vulnerabilities in Windows but also broke network printing for many, with some admins disabling security or removing the patch to get it working. Microsoft's fix was in two phases, first to add a registry setting to increase the authorization level for remote access to printers and second, to inform admins that "The release transitions into the enforcement phase on September 14, 2021. Enforcement phase enforces the changes to address CVE-2021-1678 by increasing the authorization level without having to set the registry value." That September date was "Patch Tuesday" last week - though some admins were already having issues with network printing caused by Microsoft's other mitigation efforts.

Google on Monday released security updates for Chrome web browser to address a total of 11 security issues, two of which it says are actively exploited zero-days in the wild. Tracked as CVE-2021-30632 and CVE-2021-30633, the vulnerabilities concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively, with the internet giant credited anonymous researchers for reporting the bugs on September 8.

Manual updates required for existing Azure VMs. While working to address these bugs, Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit. Automatic updates disabled: manually update extension using instructions here Azure Automation State Configuration, DSC Extension On Premises.