software update | Breaking Cybersecurity News | The Hacker News

Cisco is warning of attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit an authenticated remote attacker to achieve remote code execution on affected systems. The medium-severity vulnerability is tracked as  CVE-2023-20109 , and has a CVSS score of 6.6. It impacts all versions of the software that have the GDOI or G-IKEv2 protocol enabled. The company  said  the shortcoming "could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash." It further noted that the issue is the result of insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature and it could be weaponized by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker.

Apple on Wednesday released a  slew of updates  for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called  Operation Triangulation  that has been active since 2019. The exact threat actor behind the activity is not known. CVE-2023-32434  - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. CVE-2023-32435  - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. The iPhone maker said it's aware that the two issues "may have been actively exploited against versions of iOS released before iOS 15.7," crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them. The advisory comes as the Russia

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of  Patch Tuesday updates  for June 2023. Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderate, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser. It's worth noting that Microsoft also closed out  26 other flaws  in Edge – all of them rooted in Chromium itself – since the release of May Patch Tuesday updates. This comprises  CVE-2023-3079 , a zero-day bug that Google disclosed as being actively exploited in the wild last week. The June 2023 updates also mark the first time in several months that doesn't feature any zero-day flaw in Microsoft products that's publicly known or under active attack at the time of release. Topping the list of fixes is  CVE-2023-29357  (CVSS score: 9.8), a privilege escalation flaw in ShareP

Microsoft has rolled out  Patch Tuesday updates  for May 2023 to address 38 security flaws, including two zero-day bugs that it said are being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI)  said  the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft. This is aside from  18 flaws  – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates. Topping the list is  CVE-2023-29336  (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are. "An attacker who successfully exploited t

The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what's a sobering reminder of the dangers of failing to keep software up-to-date. The embattled password management service last week  revealed  how unidentified actors leveraged information stolen from an earlier incident that took place prior to August 12, 2022, along with details "available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack" between August and October 2022. The intrusion ultimately enabled the adversary to steal partially encrypted password vault data and customer information. The second attack specifically singled out one of the four DevOps engineers, targeting their home computer with a keylogger malware to obtain the credentials and breach the cloud storage environment. This, in turn, is said to have been made possible by exploiting a nearly three-y

Apple has revised the  security advisories  it released last month to include three new vulnerabilities impacting  iOS, iPadOS , and  macOS . The first flaw is a  race condition  in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation. The two other vulnerabilities, credited to Trellix researcher Austin Emmitt, reside in the  Foundation framework  (CVE-2023-23530 and CVE-2023-23531) and could be weaponized to achieve code execution. "An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "improved memory handling." The medium to high-severity vulnerabilities have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23, 2023. Trellix, in its own report on Tuesday,  classified  the two flaws as a &qu

Tech giant Microsoft released its last set of monthly security updates for 2022 with  fixes for 49 vulnerabilities  across its software products. Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to  24 vulnerabilities  that have been addressed in the Chromium-based Edge browser since the start of the month. December's Patch Tuesday plugs two zero-day vulnerabilities, one that's actively exploited and another issue that's listed as publicly disclosed at the time of release. The former relates to  CVE-2022-44698  (CVSS score: 5.4), one of the  three security bypass issues  in Windows SmartScreen that could be exploited by a malicious actor to evade mark of the web (MotW) protections. It's worth noting that this issue, in conjunction with  CVE-2022-41091  (CVSS score: 5.4), has been observed being exploited by Magniber ransomware actors to deliver rogue JavaScript files within ZIP arc

Microsoft's Patch Tuesday update for the month of October has addressed a total of  85 security vulnerabilities , including fixes for an actively exploited zero-day flaw in the wild. Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the  actively exploited   ProxyNotShell  flaws in  Exchange Server . The  patches  come alongside  updates to resolve 12 other flaws  in the Chromium-based Edge browser that have been released since the beginning of the month. Topping the list of this month's patches is  CVE-2022-41033  (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," the company said in an advisory, cautioning that the shortcoming is being actively weaponized in

Apple on Wednesday released security updates for  iOS, iPadOS , and  macOS  platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893  - An out-of-bounds write issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894  - An out-of-bounds write issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges Apple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities "may have been actively exploited." The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it's likely that they were abused as part of highly-targeted intrusions. The latest update brings the total number o

Microsoft released its monthly round of Patch Tuesday updates to address  84 new security flaws  spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are  two other bugs  in the Chromium-based Edge browser, one of which plugs another  zero-day flaw  that Google disclosed as being actively exploited in real-world attacks. Top of the list of this month's updates is  CVE-2022-22047  (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ( CSRSS ) that could be abused by an attacker to gain SYSTEM permissions. "With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "With SYSTEM acce

Microsoft's Patch Tuesday updates for the month of April have addressed a  total of 128 security vulnerabilities  spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others. 10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release. The updates are in addition to  26 other flaws  resolved by Microsoft in its Chromium-based Edge browser since the start of the month. The actively exploited flaw ( CVE-2022-24521 , CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine. The second publicly-known zero-day flaw ( CVE-2022-26904 , CVSS score: 7.0)

Microsoft last week announced that it intends to make generally available a feature called Autopatch as part of Windows Enterprise E3 in July 2022. "This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost,"  said  Lior Bela, senior product marketing manager at Microsoft, in a post last week. "The second Tuesday of every month will be 'just another Tuesday.'" Windows Autopatch is intended to work with all supported versions of Windows 10, Windows 11, and Windows 365 for Enterprise. Windows Server OS and Windows 365 for Business, however, are not supported. The tech giant said the feature is aimed at tackling the complexity associated with software updates in enterprise IT environments as well as closing security gaps introduced as a result of not applying patches in a timely fashion, thereby opening the door to potential new threats.  The managed service works by applying the updates acro

Microsoft's  Patch Tuesday update  for the month of March has been made officially available with 71 fixes spanning across its software products such as Windows, Office, Exchange, and Defender, among others. Of the total 71 patches, three are rated Critical and 68 are rated Important in severity. While none of the vulnerabilities are listed as actively exploited, three of them are publicly known at the time of release. It's worth pointing out that Microsoft separately  addressed 21 flaws  in the Chromium-based Microsoft Edge browser earlier this month. All the three critical vulnerabilities remediated this month are remote code execution flaws impacting HEVC Video Extensions ( CVE-2022-22006 ), Microsoft Exchange Server ( CVE-2022-23277 ), and VP9 Video Extensions ( CVE-2022-24501 ). The Microsoft Exchange Server vulnerability, which was reported by researcher Markus Wulftange, is also noteworthy for the fact that it requires the attacker to be authenticated to be able to

Cisco this week shipped patches to address a new round of critical security vulnerabilities affecting Expressway Series and Cisco TelePresence Video Communication Server (VCS) that could be exploited by an attacker to gain elevated privileges and execute arbitrary code. The two flaws – tracked as  CVE-2022-20754 and CVE-2022-20755  (CVSS scores: 9.0) – relate to an arbitrary file write and a command injection flaw in the API and web-based management interfaces of the two products that could have serious impacts on affected systems. The company said both the issues stem from insufficient input validation of user-supplied command arguments, a weakness that could be weaponized by an authenticated, remote attacker to carry out directory traversal attacks, overwrite arbitrary files, and run malicious code on the underlying operating system as the root user. "These vulnerabilities were found during internal security testing by Jason Crowder of the Cisco Advanced Security Initiative

VMware on Tuesday patched several  high-severity   vulnerabilities  impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition. As of writing, there's no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows – CVE-2021-22040  (CVSS score: 8.4) - Use-after-free vulnerability in XHCI USB controller CVE-2021-22041  (CVSS score: 8.4) - Double-fetch vulnerability in UHCI USB controller CVE-2021-22042  (CVSS score: 8.2) - ESXi settingsd unauthorized access vulnerability CVE-2021-22043  (CVSS score: 8.2) - ESXi settingsd TOCTOU vulnerability CVE-2021-22050  (CVSS score: 5.3) - ESXi slow HTTP POST denial-of-service vulnerability CVE-2022-22945  (CVSS score: 8.8) - CLI shell injection vulnerability in the NSX Edge appliance component Successful exploitation of the flaws could allow a malicious actor with local ad

Google on Monday rolled out fixes for eight security issues in the Chrome web browser, including a high-severity vulnerability that's being actively exploited in real-world attacks, marking the first zero-day patched by the internet giant in 2022. The shortcoming, tracked  CVE-2022-0609 , is described as a  use-after-free  vulnerability in the Animation component that, if successfully exploited, could lead to corruption of valid data and the execution of arbitrary code on affected systems. "Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild," the company  said  in a characteristically brief statement acknowledging active exploitation of the flaw. Credited with discovering and reporting the flaw are Adam Weidemann and Clément Lecigne of Google's Threat Analysis Group (TAG). Also addressed by Google four other use-after-free flaws impacting File Manager, Webstore API,  ANGLE , and GPU, a heap buffer overflow bug in Tab Groups, an inte