#1 Trusted Cybersecurity News Platform
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: patch update

Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability

Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability
October 31, 2022Ravie Lakshmanan
An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web ( MotW ) protections. The fix,  released  by 0patch, arrives weeks after HP Wolf Security  disclosed  a Magniber ransomware campaign that targets users with fake security updates which employ a JavaScript file to proliferate the file-encrypting malware. While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that corrupt Authenticode signatures can be used to allow the execution of arbitrary executables without any  SmartScreen warning . Authenticode  is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and verifies whether the software was tampered with after it was signed and published. "The [JavaScript] file actually has the Mo

Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs
October 12, 2022Ravie Lakshmanan
Microsoft's Patch Tuesday update for the month of October has addressed a total of  85 security vulnerabilities , including fixes for an actively exploited zero-day flaw in the wild. Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the  actively exploited   ProxyNotShell  flaws in  Exchange Server . The  patches  come alongside  updates to resolve 12 other flaws  in the Chromium-based Edge browser that have been released since the beginning of the month. Topping the list of this month's patches is  CVE-2022-41033  (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," the company said in an advisory, cautioning that the shortcoming is being actively weaponized in

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities
August 18, 2022Ravie Lakshmanan
Apple on Wednesday released security updates for  iOS, iPadOS , and  macOS  platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893  - An out-of-bounds write issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894  - An out-of-bounds write issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges Apple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities "may have been actively exploited." The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it's likely that they were abused as part of highly-targeted intrusions. The latest update brings the total number o

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability
June 15, 2022Ravie Lakshmanan
Microsoft finally released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are  55 other flaws , three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five more shortcomings were resolved in the Microsoft Edge browser. Tracked as  CVE-2022-30190  (CVSS score: 7.8), the  zero-day bug  relates to a remote code execution vulnerability affecting the Windows Support Diagnostic Tool (MSDT) when it's invoked using the "ms-msdt:" URI protocol scheme from an application such as Word. The vulnerability can be trivially exploited by means of a specially crafted Word document that downloads and loads a malicious HTML file through Word's remote template feature. The HTML file ultimately permits the attacker to load and execute PowerShell code within Windows. "An attacker who successfully exploits this vuln

What is the Essential Eight (And Why Non-Aussies Should Care)

What is the Essential Eight (And Why Non-Aussies Should Care)
June 14, 2022The Hacker News
In 2017, The Australian Cyber Security Center (ACSC) published a set of mitigation strategies that were designed to help organizations to protect themselves against cyber security incidents. These strategies, which became known as  the Essential Eight , are designed specifically for use on Windows networks, although variations of these strategies are commonly applied to other platforms. What is the Essential Eight?  The Essential Eight is essentially a cyber security framework that is made up of objectives and controls (with each objective including multiple controls). Initially, the Australian government only mandated that companies adhere to four of the security controls that were included in the first objective. Starting in June of 2022 however, all 98 non-corporate Commonwealth entities (NCCEs) are going to be  required to comply with the entire framework . Non-Australians take note  Although the Essential Eight is specific to Australia, organizations outside of Australia shou

Even the Most Advanced Threats Rely on Unpatched Systems

Even the Most Advanced Threats Rely on Unpatched Systems
June 09, 2022The Hacker News
Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups. In fact, these tools can prove almost impossible to detect – and guard against. BVP47 is a case in point. In this article, we'll outline how this powerful state-sponsored malware has been quietly circulating for years, how it so cleverly disguises itself, and explain what that means for cybersecurity in the enterprise. Background story behind BVP47 It's a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group called Pangu Lab published an in-depth, 56-page report covering a piece of malicious code that the research group decided to call BVP47 (because BVP was the most common string in

Cisco Releases Security Patches for TelePresence, RoomOS and Umbrella VA

Cisco Releases Security Patches for TelePresence, RoomOS and Umbrella VA
April 22, 2022Ravie Lakshmanan
Networking equipment maker Cisco has released security updates to address three high-severity vulnerabilities in its products that could be exploited to cause a denial-of-service (DoS) condition and take control of affected systems. The first of the three flaws,  CVE-2022-20783  (CVSS score: 7.5), affects Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software, and stems from a lack of proper input validation, allowing an unauthenticated, remote attacker to send specially crafted traffic to the devices. "A successful exploit could allow the attacker to cause the affected device to either reboot normally or reboot into maintenance mode, which could result in a DoS condition on the device," the company  noted  in an advisory. Credited with discovering and reporting the flaw is the U.S. National Security Agency (NSA). The issue has been addressed in Cisco TelePresence CE Software versions 9.15.10.8 and 10.11.2.2. CVE-2022-20773  (CVSS score: 7.5),

VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products

VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products
April 07, 2022Ravie Lakshmanan
VMware has released security updates to patch eight vulnerabilities spanning its products, some of which could be exploited to launch remote code execution attacks. Tracked from  CVE-2022-22954 to CVE-2022-22961  (CVSS scores: 5.3 - 9.8), the issues impact VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Five of the eight bugs are rated Critical, two are rated Important, and one is rated Moderate in severity. Credited with reporting all the vulnerabilities is Steven Seeley of Qihoo 360 Vulnerability Research Institute. The list of flaws is below - CVE-2022-22954  (CVSS score: 9.8) - Server-side template injection remote code execution vulnerability affecting VMware Workspace ONE Access and Identity Manager CVE-2022-22955 & CVE-2022-22956  (CVSS scores: 9.8) - OAuth2 ACS authentication bypass vulnerabilities in VMware Workspace ONE Access CVE-2022-22957 & CVE-2022-22958  (CVS

Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework

Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework
March 31, 2022Ravie Lakshmanan
The maintainers of Spring Framework have released an emergency patch to address a newly disclosed  remote code execution flaw  that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system. Tracked as  CVE-2022-22965 , the high-severity flaw impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older, unsupported versions. Users are recommended to upgrade to versions 5.3.18 or later and 5.2.20 or later. The Spring Framework is a Java framework that offers infrastructure support to develop web applications. "The vulnerability impacts Spring  MVC  [model–view–controller] and Spring WebFlux applications running on [Java Development Kit] 9+," Rossen Stoyanchev of Spring.io  said  in an advisory published Thursday. "The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerabl

VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products

VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products
February 16, 2022Ravie Lakshmanan
VMware on Tuesday patched several  high-severity   vulnerabilities  impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition. As of writing, there's no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows – CVE-2021-22040  (CVSS score: 8.4) - Use-after-free vulnerability in XHCI USB controller CVE-2021-22041  (CVSS score: 8.4) - Double-fetch vulnerability in UHCI USB controller CVE-2021-22042  (CVSS score: 8.2) - ESXi settingsd unauthorized access vulnerability CVE-2021-22043  (CVSS score: 8.2) - ESXi settingsd TOCTOU vulnerability CVE-2021-22050  (CVSS score: 5.3) - ESXi slow HTTP POST denial-of-service vulnerability CVE-2022-22945  (CVSS score: 8.8) - CLI shell injection vulnerability in the NSX Edge appliance component Successful exploitation of the flaws could allow a malicious actor with local ad

New Chrome 0-Day Bug Under Active Attack – Update Your Browser ASAP!

New Chrome 0-Day Bug Under Active Attack – Update Your Browser ASAP!
February 15, 2022Ravie Lakshmanan
Google on Monday rolled out fixes for eight security issues in the Chrome web browser, including a high-severity vulnerability that's being actively exploited in real-world attacks, marking the first zero-day patched by the internet giant in 2022. The shortcoming, tracked  CVE-2022-0609 , is described as a  use-after-free  vulnerability in the Animation component that, if successfully exploited, could lead to corruption of valid data and the execution of arbitrary code on affected systems. "Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild," the company  said  in a characteristically brief statement acknowledging active exploitation of the flaw. Credited with discovering and reporting the flaw are Adam Weidemann and Clément Lecigne of Google's Threat Analysis Group (TAG). Also addressed by Google four other use-after-free flaws impacting File Manager, Webstore API,  ANGLE , and GPU, a heap buffer overflow bug in Tab Groups, an inte

Critical Flaws Discovered in Cisco Small Business RV Series Routers

Critical Flaws Discovered in Cisco Small Business RV Series Routers
February 03, 2022Ravie Lakshmanan
Cisco has patched multiple critical  security vulnerabilities  impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs. Three of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, carry the highest CVSS rating of 10.0, and affect its Small Business RV160, RV260, RV340, and RV345 Series routers. Additionally, the flaws could be exploited to bypass authentication and authorization protections, retrieve and run unsigned software, and even cause denial-of-service (DoS) conditions. The networking equipment maker acknowledged that it's "aware that proof-of-concept exploit code is available for several of the vulnerabilities" but didn't share any further specifics on the nature of the exploit or the identity of the threat actors that may be exploiting them. CVE-2022-20699

Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software

Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software
January 21, 2022Ravie Lakshmanan
Cisco Systems has rolled out fixes for a critical security flaw affecting Redundancy Configuration Manager (RCM) for Cisco StarOS Software that could be weaponized by an unauthenticated, remote attacker to execute arbitrary code and take over vulnerable machines. Tracked as  CVE-2022-20649  (CVSS score: 9.0), the vulnerability stems from the fact that the debug mode has been incorrectly enabled for specific services. "An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled," Cisco said in an advisory. "A successful exploit could allow the attacker to execute arbitrary commands as the root user." The network equipment maker, however, noted that the adversary would need to perform detailed reconnaissance to allow for unauthenticated access to vulnerable devices. Stating that the vulnerability was discovered during internal security testing, Cisco added it found no evidence of active exploitat

Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM

Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM
January 14, 2022Ravie Lakshmanan
Cisco Systems has rolled out security updates for a critical security vulnerability affecting Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited by a remote attacker to take control of an affected system. Tracked as  CVE-2022-20658 , the vulnerability has been rated 9.6 in severity on the CVSS scoring system, and concerns a privilege escalation flaw arising out of a lack of server-side validation of user permissions that could be weaponized to create rogue Administrator accounts by submitting a crafted HTTP request. "With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP," Cisco  noted  in an advisory published this week. " To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials." Unified CCMP and Unified CCDM pro

Meeting Patching-Related Compliance Requirements with TuxCare

Meeting Patching-Related Compliance Requirements with TuxCare
January 13, 2022The Hacker News
Cybersecurity teams have many demands competing for limited resources. Restricted budgets are a problem, and restricted staff resources are also a bottleneck. There is also the need to maintain business continuity at all times. It's a frustrating mix of challenges – with resources behind tasks such as patching rarely sufficient to meet security prerogatives or compliance deadlines. The multitude of different security-related standards have ever stringent deadlines, and it is often the case that business needs don't necessarily align with those requirements. At the core of what TuxCare does is automated live patching – a way to consistently keep critical services safe from security threats, without the need to expend significant resources in doing so, or the need to live with business disruption. In this article, we'll outline how  TuxCare  helps organizations such as yours deal better with security challenges including patching, and the support of end-of-life operating s

Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware

Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware
December 15, 2021Ravie Lakshmanan
Microsoft has rolled out  Patch Tuesday updates  to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads. The latest monthly release for December fixes a total of 67 flaws, bringing the total number of bugs patched by the company this year to 887, according to the  Zero Day Initiative . Seven of the 67 flaws are rated Critical and 60 are rated as Important in severity, with five of the issues publicly known at the time of release. It's worth noting that this is in addition to the  21 flaws  resolved in the Chromium-based Microsoft Edge browser. The most critical of the lot is  CVE-2021-43890  (CVSS score: 7.1), a Windows AppX installer spoofing vulnerability that Microsoft said could be exploited to achieve arbitrary code execution. The lower severity rating is indicative of the fact that code execution hinges on the logged-on user level,

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released
December 15, 2021Ravie Lakshmanan
UPDATE — The severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to "information leak and remote code execution in some environments and local code execution in all environments." The Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed  Log4Shell  exploit was deemed as "incomplete in certain non-default configurations." The second vulnerability — tracked as  CVE-2021-45046  — is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be abused to infiltrate and take over systems. The
Deals — IT Courses and Software

Sign up for our cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.