Security News

Today is Microsoft's September 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of 63 flaws. Five of the 63 vulnerabilities fixed in today's update are classified as 'Critical' as they allow remote code execution, one of the most severe types of vulnerabilities.

Apple has fixed a slew of vulnerabilities in macOS, iOS, and iPadOS, including a zero-day kernel vulnerability exploited by attackers in the wild. "Apple is aware of a report that this issue may have been actively exploited," the company said, and noted that the vulnerability has been remediated with improved bounds checks.

Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild.It's worth noting that CVE-2022-32917 is also the second Kernel related zero-day flaw that Apple has remediated in less than a month.

Just to be clear, if you don't want to upgrade to iOS 16 just yet, you still need to update, because the iOS 15.7 and iPadOS 15.7 updates include numerous security patches, including a fix for a bug dubbed CVE-2022-32917. APPLE-SA-2022-09-12-1: iOS 16 The big one! As well as a bunch of new features, this includes the Safari patches delivered separately for macOS, and a fix for CVE-2022-32917.

Apple has released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year. In security advisories issued on Monday, Apple revealed they're aware of reports saying this security flaw "May have been actively exploited."

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.

Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life. "A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network," Cisco explained in a security advisory issued on Wednesday.

A few days ago - and smack in the middle of the weekend preceding Labor Day - Taiwan-based QNAP Systems has warned about the latest round of DeadBolt ransomware attacks targeting users of its QNAP network-attached storage devices. "QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022. The campaign appears to target QNAP NAS devices running Photo Station with internet exposure," the company said in a security advisory.

We'd love to be able to determine, given that the bug relates to the incorrect handling of input data, whether this bug leads to a worrying security outcome such as EoP, short for elevation of privilege, or if it can be abused for a more disastrous result such as full-blown RCE, short for remote code execution. As a result, modern browsers generally split themselves into numerous separate processes, for example so that each tab is handled in an independent process, thus preventing one runwaway tab from trivially leeching data such as cookies and access tokens from others tabs related to completely different websites.

QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station. "QNAP® Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet," explains the security notice.