Security News

Prominent security practitioner Matt Tait kicked off the annual Black Hat security conference Wednesday with a call for platform vendors to make major technology changes to help cope with the surge in major software supply chain attacks. Tait, an outspoken researcher who has held stints at Google's Project Zero and the U.K.'s GCHQ intelligence agency, said mobile platforms must immediately start providing improved "On-device observability" to help defenders cope with ongoing in-the-wild zero-day attacks.

Now it's Apple's turn to be in the patch-right-now spotlight, with a somewhat under-announced emergency zero-day fix, just a few days after the company's last, and much broader, security update. These include elevation of privilege, where an otherwise uninteresting app suddenly gets the same sort of power as the operating system itself, or even remote code execution, where an otherwise innocent operation, such as viewing a web page or opening up an image, could trick the kernel into running completely untrusted code that didn't come from Apple itself.

There are three new, unpatched zero-day vulnerabilities in Kaseya Unitrends that include remote code execution and authenticated privilege escalation on the client-side. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that's delivered as either disaster recovery-as-a-service or as an add-on for the Kaseya Virtual System/Server Administrator remote management platform.

Apple patched a zero-day flaw on Monday, found in both its iOS and macOS platforms that's being actively exploited in the wild and can allow attackers to take over an affected system. Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday.

The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device. Apple did not say who might be involved in the exploitation of this bug.

Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs. Three iOS zero-days in February, exploited in the wild and reported by anonymous researchers.

iPhone users, drop what you're doing and update now: Apple has issued a warning about a ream of code-execution vulnerabilities - some of which are remotely exploitable - and experts are emphatically recommending an ASAP update to version 14.7 of iOS and iPadOS. Unfortunately, you aren't getting a fix for the flaw that makes your iPhones easy prey for Pegasus spyware. A local attacker may be able to execute code on the Apple T2 Security Chip due to multiple logic issues in IOKit.

Microsoft has shared a workaround for a Windows 10 zero-day vulnerability that can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges. "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the Security Accounts Manager database," Microsoft explains in a security advisory published on Tuesday evening.

Microsoft has shared a workaround for a Windows 10 zero-day vulnerability that can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges. "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the Security Accounts Manager database," Microsoft explains in a security advisory published on Tuesday evening.

The Cyberspace Administration of China has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The "Regulations on the Management of Network Product Security Vulnerability" are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks.