Security News

A day after Apple and Google rolled out urgent security updates, Microsoft has pushed software fixes as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an actively exploited zero-day in its MSHTML Platform that came to light last week. Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity.

Millions of HP OMEN laptop and desktop gaming computers are exposed to attacks by a high severity vulnerability that can let threat actors trigger denial of service states or escalate privileges and disable security solutions. The security flaw was found in a driver used by the OMEN Gaming Hub software that comes pre-installed on all HP OMEN desktops and laptops.

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild. ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.

Modern vulnerability management programs require a strategy that defines what success means for your organization's cybersecurity goals. With the changing work norms ushered in by the pandemic, endpoints have become an easy exploit target, and your vulnerability management program should give equal importance to managing both network and endpoint vulnerabilities.

Microsoft has warned thousands of Azure customers that a now-fixed critical vulnerability found in Cosmos DB allowed any user to remotely take over other users' databases by giving them full admin access without requiring authorization. "Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer's resources by using the account's primary read-write key," the company told customers.

Taiwan-based NAS maker Synology has revealed that recently disclosed remote code execution and denial-of-service OpenSSL vulnerabilities impact some of its products. "Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager, Synology Router Manager, VPN Plus Server or VPN Server," the company explains in a security advisory published earlier today.

If you plug a Razer peripheral into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software - which automatically downloads - to gain SYSTEM privileges. It should be noted that this is a local privilege escalation vulnerability, which means that you need to have a Razer devices and physical access to a computer.

From the get-go, too many organizations have an outdated idea of what vulnerability management entails. A holistic approach to vulnerability management includes identifying, reporting, assessing and prioritizing exposures.

The chain-split vulnerability tracked as CVE-2021-39137, impacts "Geth," the official Golang implementation of the Ethereum protocol. Such flaws can cause corruption in blockchain services, and lead to massive outages, like the Ethereum network outage from last year.

Threat actors are attempting to exploit CVE-2021-35395, a group of vulnerabilities in the web interface of the Realtek SDK, to spread Mirai malware to vulnerable IoT devices. A week ago, IoT Inspector researchers released details about four CVE-numbered flaws affecting the Realtek SDK, which comes with a specific system on a chip manufactured by Taiwanese semiconductor company Realtek.