Security News

Security hardware manufacturer SonicWall is urging customers to patch a set of three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products. "In at least one known case, these vulnerabilities have been observed to be exploited 'in the wild,'" SonicWall said in a security advisory published earlier today.

Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base networks. To mitigate the vulnerability tracked as CVE-2021-22893, Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.

Seventh Knight has developed an embedded solution with the MaaS360 technology powered by IBM. The solution helps clients secure their enterprise networks from ransomware and zero day attacks, while also providing protection to clients of any size through its MSSP reseller program and direct sales initiative. Seventh Knight announced AppMoat360, a UEM Security Service to provide control and security over the growing number of mobile and IoT devices, as well as to most Microsoft Windows environments, including Windows 10, 7, XP, Virtualized, and Server variants, which is critical to clients running a mix of modern and legacy systems.

A second Chromium zero-day remote code execution exploit has been released on Twitter this week that affects current versions of Google Chrome, Microsoft Edge, and likely other Chromium-based browsers. A zero-day vulnerability is when detailed information about a vulnerability or an exploit is released before the affected software developers can fix it.

Microsoft had its hands full Tuesday snuffing out five zero-day vulnerabilities, a flaw under active attack and applying more patches to its problem-plagued Microsoft Exchange Server software. Of note, the U.S. National Security Agency released information on four critical Exchange Server vulnerabilities impacting versions released between 2013 and 2019.

As has become normal, Google did not provide any other details on the attacks or provide any IOCs to help organizations find signs of infection. So far in 2021, Google has rushed out fixes for at least three separate in-the-wild zero-day attacks.

Today is Microsoft's April 2021 Patch Tuesday, and with it comes five zero-day vulnerabilities and more Critical Microsoft Exchange vulnerabilities. With today's update, Microsoft has fixed 108 vulnerabilities, with 19 classified as Critical and 89 as Important.

A researcher has dropped working exploit code for a zero-day remote code execution vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework. Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal said in a comment posted in response to his own tweet.

A security researcher has dropped a zero-day remote code execution vulnerability on Twitter that works on the current version of Google Chrome and Microsoft Edge. While Agarwal states that the vulnerability is fixed in the latest version of the V8 JavaScript engine, it is not clear when Google will roll out the Google Chrome.

Cisco Systems said it will not fix a critical vulnerability found in three of its SOHO router models. The three Cisco router models and one VPN firewall device are of varying age and have reached "End of life" and will not be patched, according to Cisco.