by Paul Ducklin Thanks to Bill Kearney of Sophos Rapid Response for his work on this article. If you’ve read the recent Sophos 2021 Threat Report, you’ll know that we deliberately included a section about all the malware out there that isn’t ransomware. Sure, ransomware understandably hogs the media headlines . . . Read more
The critical and important-severity flaws were found by a team at the China-based Tiunfu Cup hacking challenge. VMware has hurried out fixes for a critical flaw in its ESXi hypervisor, a few weeks after it was found during China’s Tianfu Cup hacking competition. The use-after-free vulnerability (CVE-2020-4004) has a CVSS . . . Read more
by Paul Ducklin Modern telephony is full of anachronisms. For example, we still “dial” calls, and many phone apps still display the word “dialling” while they’re waiting for the person at the other end to pick up. But when was the last time you saw, let alone used, a phone . . . Read more
The company patched a vulnerability that could connected video and audio calls without the knowledge of the person receiving them. Facebook has patched a significant flaw in the Android version of Facebook Messenger that could have allowed attackers to spy on users and potentially identify their surroundings without them knowing. . . . Read more
Threat actors mount year-long campaign of espionage, exfiltrating data, stealing credentials and installing backdoors on victims’ networks. China-backed APT Cicada joins the list of threat actors leveraging the Microsoft Zerologon bug to stage attacks against their targets. In this case, victims are large and well-known Japanese organizations and their subsidiaries, . . . Read more
Attackers can exploit the feature and send people’s data directly to remote servers, posing a privacy and security risk, researchers said. Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypasses content filters and VPNs. They say . . . Read more
The vulnerabilities, which are all being abused for targeted attacks, affect a long list of devices Just days after Google disclosed an actively-exploited bug in Windows and discovered and squashed two zero-day bugs in its Chrome web browser, Apple has released patches of its own to fix three zero-day vulnerabilities . . . Read more
Cisco also disclosed high-severity vulnerabilities in its Webex and SD-WAN products.
Another week, another Chrome zero-day, this time on your phone.
Tech giant and feds this week renewed their urge to organizations to update Active Directory domain controllers. Threat attackers continue to exploit the Microsoft Zerologon vulnerability, a situation that’s been a persistent worry to both the company and the U.S. government over the last few months. Both on Thursday renewed . . . Read more