The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Internet Explorer is dead, but not the mess it left behind. Microsoft earlier today issued an emergency security advisory warning millions of Windows users of a new zero-day vulnerability in Internet Explorer (IE) browser that attackers are actively exploiting in the wild — and there is no patch yet available for it. The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote code execution issue that exists in the way the scripting engine handles objects in memory of Internet Explorer and triggers through JScript.dll library. A remote attacker can execute arbitrary code on targeted computers and take full control over them just by convincing victims into opening a maliciously crafted web page on the vulnerable Microsoft browser. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as...

Penetration tests have long been known as a critical security tool that exposes security weaknesses through simulated attacks on an organization's IT environments. These test results can help prioritize weaknesses, providing a road-map towards remediation. However, the results are also capable of doing even more. They identify and quantify security risk, and can be used as a keystone in cybersecurity policies. The same can be said about broader penetration testing practices. Organizations gain real value from learning about others' penetration testing experiences, trends, and the role they play in today's threat landscape. The world of pen testing can be an interesting balance of open collaboration and closely guarded privacy. While pen testers may engage in teaming exercises, or happily talk technique when they attend Black Hat, most organizations are extremely reluctant when it comes to discussing their pen testing practices and results. Of course, confidentia...

Great news for iOS users! You can now use your iPhone or iPad, running iOS 10 or later, as a physical security key for securely logging into your Google account as part of the Advanced Protection Program for two-factor authentication. Android users have had this feature on their smartphones since last year, but now Apple product owners can also use this advanced, phishing-resistant form of authentication as an alternative to a physical security key. Adding extra security later of two-step authentication is one of the more essential steps you can take to secure your online accounts, which makes it harder for attackers to log in to your account, especially when they steal your password. "According to a study we [Google] released last year, people who exclusively used security keys to sign into their accounts never fell victim to targeted phishing attacks," said Shuvo Chatterjee, Product Manager at Google's Advanced Protection Program. Google recently update...

After Adobe today releases its first Patch Tuesday updates for 2020, Microsoft has now also published its January security advisories warning billions of users of 49 new vulnerabilities in its various products. What's so special about the latest Patch Tuesday is that one of the updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States. What's more interesting is that this is the first security flaw in Windows OS that the NSA reported responsibly to Microsoft, unlike the  Eternalblue SMB flaw that the agency kept secret for at least five years and then was leaked to the public by a mysterious group, which caused WannaCry menace in 2017. CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability According to an advisory released by Microsoft, the flaw, dubbed ' NSACrypt ' and tracked as CVE-20...

Adobe today released software updates to patch a total of 9 new security vulnerabilities in two of its widely used applications, Adobe Experience Manager and Adobe Illustrator. It's the first Patch Tuesday for the year 2020 and one of the lightest patch releases in a long time for Adobe users. Moreover, none of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild. 5 of the 9 security vulnerabilities are 'critical' in severity, and all of them affect Adobe Illustrator CC versions 24.0 and earlier, which were reported to the company by Fortinet's FortiGuard Labs researcher Honggang Ren. According to an advisory published by Adobe, all five critical issues in Adobe Illustrator software are memory corruption bugs that could allow an attacker to execute arbitrary code on targeted systems in the context of the current user. The rest 4 security vulnerabilities affect Adobe Experience Manager —...