Security News

Microsoft has patched another zero-day bug used by attackers to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red...

Today is Microsoft's March 2023 Patch Tuesday, and security updates fix two actively exploited zero-day vulnerabilities and a total of 83 flaws. This month's Patch Tuesday fixes two zero-day vulnerabilities actively exploited in attacks.

Unknown attackers used zero-day exploits to abuse a new FortiOS bug patched this month in attacks targeting government and large organizations that have led to OS and file corruption and data loss. The list of affected products includes FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2.

The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution. The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they were responsible for the attacks.

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program.

Get hired in cybersecurity: Expert tips for job seekersIn this Help Net Security interview, Joseph Cooper, Cybersecurity Recruiter at Aspiron Search, offers practical advice for job seekers and talks about how the cybersecurity profession continues to expand. Admins, patch your Cisco enterprise security solutions!Cisco has released security updates for several of its enterprise security and networking products.

The U.S. Cybersecurity and Infrastructure Security Agency has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild.According to a November 2021 binding operational directive, all Federal Civilian Executive Branch Agencies agencies are required to secure their systems against security bugs added to CISA's catalog of Known Exploited Vulnerabilities.

Apple this week released bug-splatting updates to its operating systems and Safari browser, to fix a zero-day vulnerability in its WebKit browser engine that's reported to have been actively exploited. Apple's advisory says the company "Is aware of a report that this issue may have been actively exploited." It credits an anonymous researcher for reporting the bug and its iOS advisory also acknowledges "The Citizen Lab at The University of Toronto's Munk School for their assistance."

We counted 75 CVE-numbered bugs dated 2023-02-14, given that this year's February updates arrived on Valentine's Day. We extracted a list and included it below, sorted so that the bugs dubbed Critical are at the top.

The February 2023 Patch Tuesday is upon us, with Microsoft releasing patches for 75 CVE-numbered vulnerabilities, including three actively exploited zero-day flaws. "The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft explains.