Microsoft today released updates to fix a record 141 security vulnerabilities in its Windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows. Redmond also addressed multiple flaws in Exchange Server - including one that was disclosed publicly prior to today - and it is urging organizations that use Exchange for email to update as soon as possible. READ MORE...
Security teams are facing down more cyberattacks following Russia's invasion of Ukraine, and sophisticated crooks are using double-extortion techniques and, increasingly, deepfakes in their strikes. This is according to VMware, which published its Global Incident Response Threat Report for 2022 this week. VMware found a quarter of all ransomware attacks included double-extortion techniques, with top methods including blackmail (63 percent), data auction (60 percent) and name and shame (37 percent.) READ MORE...
Microsoft is urging users to patch a zero-day vulnerability dubbed Dogwalk that is actively being exploited in the wild. The bug (CVE-2022-34713) is tied to a Microsoft Windows Support Diagnostic Tool and allows a remote attacker to execute code on a vulnerable system. The warning is part of a massive August Patch Tuesday update that included 121 flaws, 17 of which were critical and 101 carrying a Common Vulnerability Scoring System rating of Important.Infosec Insiders Newsletter READ MORE...
Software maker Adobe has released patches for at least 25 documented security vulnerabilities that expose Windows and macOS users to malicious hacker attacks. The most urgent fix affects the ubiquitous Adobe Acrobat and Reader software used to create, view and manage PDF files across platforms. "These updates address multiple?critical and important vulnerabilities. Successful exploitation could lead to?arbitrary code execution and memory leak," Adobe said in a critical-severity advisory released Tuesday. READ MORE...
Industrial giants Siemens and Schneider Electric have addressed less than a dozen vulnerabilities in their August 2022 Patch Tuesday advisories, far fewer than in most of the previous months. It's not uncommon for these companies to address 50 vulnerabilities on a Patch Tuesday, and in some cases their advisories even covered 100 vulnerabilities. This week, however, they only published four advisories each, to inform customers about a total of just 11 vulnerabilities. READ MORE...
SAP on Tuesday announced the release of five new and two updated security notes as part of its August 2022 Security Patch Day. Of the five new security notes, four address information disclosure vulnerabilities, three of which impact SAP's BusinessObjects Business Intelligence Platform. The most severe of these vulnerabilities could allow an unauthenticated attacker "to retrieve sensitive information in plain text over the network," enterprise application security firm Onapsis notes. READ MORE...
Intel on Tuesday published 27 security advisories detailing roughly 60 vulnerabilities across firmware, software libraries, and endpoint and data center management products. The most severe of these - based on its CVSS score - is a privilege escalation bug in the Intel-maintained Open AMT Cloud Toolkit, an open-source toolkit for integrating OOB management solutions. READ MORE...
Researchers have discovered yet another set of malicious packages in PyPi, the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar packages could be subject to malware downloads or theft of user credentials and passwords. Check Point Research, which reported its findings Monday, wrote that it didn't know how many people had downloaded the 10 packages, but its code is used in more than 390,000 projects. READ MORE...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two more flaws to its catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation. One of them has spent more than two years as a zero-day bug in the Windows Support Diagnostic Tool (MSDT) and it has exploit code publicly available. Both security issues have received a high-severity score and are directory traversal vulnerabilities that could help attackers plant malware on a target system. READ MORE...
Intel's latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company's software guard extensions, the advanced feature that acts as a digital vault for security users' most sensitive secrets. Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system is maliciously compromised. READ MORE...