Security News

Google on Friday announced that its client-side encryption for Gmail is in beta to its Workspace and education customers to secure emails sent using the web version of the platform. "Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers," the company said in a post.

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022.

Simply put, if a server does not need to see or talk to another server, then that server shouldn't be connected to the same VLAN, no exceptions. Moving on to servers, the key advice is to keep everything updated via patching.

In this Help Net Security video, Ihab Shraim, CTO at CSC, talks about how 75% of the Forbes Global 2000 are exposing themselves to significant enterprise risks as third parties maliciously register their brands, and they fail to implement key domain security measures. Of the Global 2000, 137 companies had a domain security score of "0", meaning they did not deploy any of the recommended security measures, increasing risks for various attacks that ultimately lead to revenue loss and diminished brand reputation.

SEE: Password breach: Why pop culture and passwords don't mix. Thankfully, password manager NordPass is out with its annual ranking of the world's 200 most common passwords.

A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information. The link to appeal the account deletion is an actual Facebook post on facebook.com, helping threat actors bypass email security solutions and ensure their phishing messages land in the target's inbox.

Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution. Tracked as CVE-2022-37958, the flaw was previously described as an information disclosure vulnerability in SPNEGO Extended Negotiation Security Mechanism.

With no error-checking built in, sending KmsdBot a malformed command­-like its controllers did one day while Akamai was watching­-created a panic crash with an "Index out of range" error. Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions.

VMware released security updates to address a critical-severity vulnerability impacting ESXi, Workstation, Fusion, and Cloud Foundation, and a critical-severity command injection flaw affecting vRealize Network Insight.The VMware ESXi heap out-of-bounds write vulnerability is tracked as CVE-2022-31705 and has received a CVSS v3 severity rating of 9.3.

Tech giant Microsoft released its last set of monthly security updates for 2022 with fixes for 49 vulnerabilities across its software products. The updates are in addition to 24 vulnerabilities that have been addressed in the Chromium-based Edge browser since the start of the month.