All posts in Security News

Following Microsoft’s release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning of “active exploitation” of the vulnerabilities. The alert comes on the heels of Microsoft’s disclosure that China-based hackers . . . Read more
04 Mar, 2021
0-day, Bug, chrome, Chromium, Exploit, google, Google Chrome, patch, Security News, Vulnerability, zero day
0

by Paul Ducklin Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code. Patch now, we said. And we’re saying it again, following Google’s otherwise cheery release of . . . Read more

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2021-27940PUBLISHED: 2021-03-03 resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter. CVE-2021-21312PUBLISHED: 2021-03-03 GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison . . . Read more

The attacks seem more widespread than initially reported, researchers say, and a look at why the Microsoft Exchange Server zero-days patched this week are so dangerous. Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the “limited and targeted” incidents reported by Microsoft this week when . . . Read more

Internal research and external bug-bounty programs combined to discover the vast majority of reported security issues in the company’s software. For the second year in a row, the vast majority of vulnerabilities — 92% — found in Intel’s products came from the company’s security investments, specifically internal research efforts and . . . Read more

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2021-21312PUBLISHED: 2021-03-03 GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > . . . Read more
Wireless mouse-utility lacks proper authentication and opens Windows systems to attack. The mobile application called WiFi Mouse, which allows users to control mouse movements on a PC or Mac with a smartphone or tablet, has an unpatched bug allowing adversaries to hijack desktop computers, according to researcher Christopher Le Roux . . . Read more

by Paul Ducklin Remember the last big jailbreak news? It was nearly a year ago, back in May 2020, when well-known Apple jailbreaking crew unc0ver released version 5 of their jailbreak toolkit, just a week after Apple came out with iOS 13.5. The word jailbreak, at least in the IT . . . Read more
A third-party IT provider exposed valuable airline data that experts say could be a goldmine for cybercriminals. Malaysia Airlines sent out an email to frequent flyer program members assuring them that there’s “no evidence” their personal data has been misused in the wake of a supply-chain attack via a third-party . . . Read more
A flaw (CVE-2021-21166) in the Audio component of Google Chrome is fixed in a new update being pushed out to Windows, Mac and Linux users. Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw. . . . Read more