Security News

An unpatched local privilege escalation vulnerability affecting all Windows 7 and Server 2008 R2 devices received a free and temporary fix today through the 0patch platform. 0patch's free micropatch is targeting Windows 7 and Server 2008 R2 computers without ESU and those with ESU. At the moment, only small-and-midsize businesses or organizations with volume-licensing agreements can get an ESU license until January 2023.

The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager. The critical unpatched bug is a command injection vulnerability.

VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges. The vulnerability tracked as CVE-2020-4006 is a command injection bug - with a 9.1/10 CVSSv3 severity rating - found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

Mozilla Firefox 83 was released today with a new feature called 'HTTPS-Only Mode' that secures your browsing sessions by rewriting URLs to secure HTTPS versions. Windows, Mac, and Linux desktop users can upgrade to Firefox 83 by going to Options -> Help -> About Firefox.

Google is asking Chrome desktop users to prepare to update their browsers once again as two more zero-day vulnerabilities have been identified in the software. CVE-2020-16017 is described by Google as a "Use-after-free in site isolation," which is the Chrome component that isolates the data of different sites from each other.

Google has released Chrome 86.0.4240.198 for Windows, Mac, and Linux to address two zero-day vulnerabilities exploited in the wild. Google Chrome 86.0.4240.198 will roll out over the coming days.

Google has released another update for Chrome 86 to patch two more zero-day vulnerabilities that have been exploited in the wild. Google has credited "Anonymous" for reporting the flaws - it's unclear if it's the same or two different anonymous individuals - and it has not shared any information about the attacks in which they have been exploited.

Microsoft has fixed today a Windows kernel zero-day vulnerability exploited in the wild as part of targeted attacks and publicly disclosed by Project Zero, Google's 0day bug-hunting team, last month. According to Project Zero researchers Mateusz Jurczyk and Sergei Glazunov who discovered it, the security flaw currently tracked as CVE-2020-17087 is a pool-based buffer overflow found in the Windows Kernel Cryptography Driver.

Git LFS vulnerability allows attackers to compromise targets' Windows systemsA critical vulnerability in Git Large File Storage, an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker's malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered. November 2020 Patch Tuesday forecast: Significant OS changes aheadNovember Patch Tuesday and the end-of-year holidays are rapidly approaching.

Apple has patched three previously identified zero-day vulnerabilities in its iPhone, iPod and iPad devices potentially related to a spate of related flaws recently discovered by the Google Project Zero team that also affect Google Chrome and Windows. Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild.