Security News

May 2022 Patch Tuesday is here, and Microsoft has marked it by releasing fixes for 74 CVE-numbered vulnerabilities, including one zero-day under active attack and two publicly known vulnerabilities. First and foremost, we have CVE-2022-26925, an "Important" spoofing vulnerability in Windows Local Security Authority that may turn into a "Critical" one if combined with NTLM relay attacks.

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that unauthenticated attackers can exploit remotely to force domain controllers to authenticate them via the Windows NT LAN Manager security protocol. The vulnerability, tracked as CVE-2022-26925 and reported by Bertelsmann Printing Group's Raphael John, has been exploited in the wild and seems to be a new vector for the PetitPotam NTLM relay attack.

Today is Microsoft's May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. Of the 75 vulnerabilities fixed in today's update, eight are classified as 'Critical' as they allow remote code execution or elevation of privileges.

At its current release rate of once every four weeks, Firefox has just over 23 years to go to equal Lara's quadruple century, and almost 30 years to reach 502*. No trouble at the version number mill. Back in February 2022, a few mainstream sites didn't seem to realise that 100 was greater than 99, presumably because they were hard-coded to use only the first two characters of the version number, millennium bug style, thus turning the text 100 either into the number 10, or into the number zero.

2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. While we often talk about the number of 0-day exploits used in-the-wild, what we're actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild.

The number of zero-day vulnerabilities exploited in the wild reached an all-time high last year, according to Mandiant. The security shop identified 80 such actively abused flaws in 2021, which Mandiant researcher James Sadowski noted is more than double the previous zero-day record from 2019.

Threat analysts report that zero-day vulnerability exploitation is on the rise, with Chinese hackers using most of them in attacks last year. Zero-day disclosures are of particular interest to hackers because they have a wider exploitation window until vendors address the flaws and clients start applying the updates.

Pwn2Own Miami 2022 has ended with competitors earning $400,000 for 26 zero-day exploits targeting ICS and SCADA products demoed during the contest between April 19 and April 21. "Thanks again to all of the competitors who participated. We couldn't have a contest without them," Trend Micro's Zero Day Initiative said today.

Google Project Zero called 2021 a "Record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said.

Google's bug hunters say they spotted 58 zero-day vulnerabilities being exploited in the wild last year, which is the most-ever recorded since its Project Zero team started analyzing these in mid-2014. "With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn't actually had to change much from previous years," wrote Google security researcher Maddie Stone in Project Zero's third annual review of exploited programming blunders.