Security News

Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing "End-to-end encryption for things that matter." If you copy an unencrypted file from a USB drive to your laptop, for example, before uploading it into a service such as Keybase, neither the Keybase app nor the Keybase servers can do anything about those two unencrypted copies of the file that now exist.

Microsoft has removed a faulty servicing stack update, which was causing issues for Windows users when they tried to install last week's Patch Tuesday security updates. Microsoft said that the erroneous servicing-stack update froze installations for the "Cumulative Update" from the recent Windows Update.

Slovenia-based cybersecurity research company ACROS Security last week announced the release of an unofficial micro-patch for a zero-day vulnerability in Microsoft Internet Explorer that North Korean hackers are believed to have exploited in a campaign targeting security researchers. South Korean security vendor ENKI published a report on the IE zero-day in early February, claiming that North Korean hackers leveraged it to target its researchers with malicious MHTML files leading to drive-by downloads of malicious payloads.

As you know, our usual advice for Patch Tuesday boils down to four words, "Patch early, patch often." As well as the four potential RCE holes mentioned above, there's also a patch for a bug dubbed CVE-2021-1732 that is already being abused in the wild by hackers.

Microsoft has addressed important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates. Microsoft also released non-security Office updates last week addressing bugs that may lead to PowerPoint crashes and other issues affecting Windows Installer editions of Office 2016, Office 2013, and Office 2010 products.

Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. Windows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include.

For its February Patch Day, Microsoft released security advisories covering 56 CVE-assigned vulnerabilities, 11 of them rated critical. The Windows giant managed to publish a misspelled URL on the landing page for its February updates that instead of taking visitors to the intended Microsoft Security Response Center post about API changes, pointed to msrc-blog.

The Microsoft patch drop adds to the workloads for weary defenders struggling to keep pace with the volume and pace of security updates from major vendors. Earlier Tuesday, Adobe shipped fixes for multiple dangerous security holes, including a bug in the Adobe Reader that is being exploited in "Limited targeted attacks" against Windows OS users.

Microsoft has plugged 56 security holes, including one actively exploited privilege escalation flaw. Adobe has released security updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the Magento CMS. Out of all of those, the Acrobat and Reader updates should be tested and deployed as soon as possible, as they fix a bucketload of critical and important issues in widely used solutions, including one bug that is being exploited in "Limited" attacks on Reader for Windows.

Microsoft has urged customers today to install security updates for three Windows TCP/IP vulnerabilities rated as critical and high severity as soon as possible. The three TCP/IP security vulnerabilities impact computers running Windows client and server versions starting with Windows 7 and higher.