#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Software Updates | Breaking Cybersecurity News | The Hacker News

Category — Software Updates
Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks

Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks

Nov 29, 2024 AI Security / Cloud Security
Microsoft has addressed four security flaws impacting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center offerings, including one that it said has been exploited in the wild. The vulnerability that has been tagged with an "Exploitation Detected" assessment is CVE-2024-49035 (CVSS score: 8.7), a privilege escalation flaw in partner.microsoft[.]com. "An improper access control vulnerability in partner.microsoft[.]com allows an unauthenticated attacker to elevate privileges over a network," the tech giant said in an advisory released this week. Microsoft credited Gautam Peri, Apoorv Wadhwa, and an anonymous researcher for reporting the flaw, but did not reveal any specifics on how it's being exploited in real-world attacks. Fixes for the shortcomings are being rolled out automatically as part of updates to the online version of Microsoft Power Apps. Also addressed by Redmond are three other vulnerabilities, two of which...
Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities

Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities

Sep 11, 2024 Enterprise Security / Vulnerability
Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution. A brief description of the issues is as follows - CVE-2024-29847 (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) - Multiple unspecified SQL injection vulnerabilities that allow a remote authenticated attacker with admin privileges to achieve code execution The flaws impact EPM versions 2024 and 2022 SU5 and earlier, with fixes made available in versions 2024 SU1 and 2022 SU6, respectively. Ivanti said it has found no evidence of the flaws being exploited in the wild as a zero-day, but it's essential that users update to the latest...
7 PAM Best Practices to Secure Hybrid and Multi-Cloud Environments

7 PAM Best Practices to Secure Hybrid and Multi-Cloud Environments

Dec 04, 2024Risk Management / Zero Trust
Are you using the cloud or thinking about transitioning? Undoubtedly, multi-cloud and hybrid environments offer numerous benefits for organizations. However, the cloud's flexibility, scalability, and efficiency come with significant risk — an expanded attack surface. The decentralization that comes with utilizing multi-cloud environments can also lead to limited visibility into user activity and poor access management.  Privileged accounts with access to your critical systems and sensitive data are among the most vulnerable elements in cloud setups. When mismanaged, these accounts open the doors to unauthorized access, potential malicious activity, and data breaches. That's why strong privileged access management (PAM) is indispensable. PAM plays an essential role in addressing the security challenges of complex infrastructures by enforcing strict access controls and managing the life cycle of privileged accounts. By employing PAM in hybrid and cloud environments, you're not...
Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

Aug 27, 2024 Vulnerability / Browser Security
Google has revealed that a security flaw that was patched as part of a software update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965 , the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the bug in the NIST National Vulnerability Database (NVD). A security researcher who goes by the online pseudonym TheDog has been credited with discovering and reporting the flaw on July 30, 2024, earning them a bug bounty of $11,000. Additional specifics about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be utilizing it have not been released. The tech giant, however, acknowledged that it's aware of the ...
cyber security

The AppSec & R&D Playbook: How to Align Security and Innovation

websiteBackslashApplication Security
AppSec vs. R&D? Bridge the gap with clear steps to streamline workflows and foster collaboration.
Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Jul 11, 2024 Vulnerability / Enterprise Security
Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass. Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover. "Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition," the company said in an advisory. "Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue." The flaw impacts all versions of Expedition prior to version 1.2.92, which remediates the problem. Synopsys Cybersecurity Research Center's (CyRC) Brian Hysell has been credited with discovering and reporting the issue. While there is no evidence that the vulnerability has be...
Apple Launches Private Cloud Compute for Privacy-Centric AI Processing

Apple Launches Private Cloud Compute for Privacy-Centric AI Processing

Jun 11, 2024 Cloud Computing / Artificial Intelligence
Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud. The tech giant described PCC as the "most advanced security architecture ever deployed for cloud AI compute at scale." PCC coincides with the arrival of new generative AI (GenAI) features – collectively dubbed Apple Intelligence , or AI for short – that the iPhone maker unveiled in its next generation of software, including iOS 18 , iPadOS 18 , and macOS Sequoia . All of the Apple Intelligence features, both the ones that run on-device and those that rely on PCC, leverage in-house generative models trained on "licensed data, including data selected to enhance specific features, as well as publicly available data collected by our web-crawler, AppleBot." With PCC, the idea is to essentially offload complex requests that requir...
Apple Releases Security Updates to Patch Critical iOS and macOS Security Flaws

Apple Releases Security Updates to Patch Critical iOS and macOS Security Flaws

Dec 12, 2023 Zero Day / Vulnerability
Apple on Monday released  security patches  for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for  12 security vulnerabilities  in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit.  macOS Sonoma 14.2 , for its part, resolves 39 shortcomings, counting six bugs impacting the  ncurses library . Notable among the flaws is  CVE-2023-45866 , a critical security issue in Bluetooth that could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. The vulnerability was disclosed by SkySafe security researcher Marc Newlin last week. It has been remediated in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2 with improved checks, the iPhone maker said. Also released by Apple is  Safari 17.2 , co...
Expert Insights / Articles Videos
Cybersecurity Resources