December 8, 2020 — UPDATED A security researcher has gone public with a chain of vulnerabilities in Microsoft Teams they claim could have allowed an attacker to plant malicious code into systems simply by tricking a target into viewing a maliciously crafted chat message.
Oskars Vegeris found and reported the cross-platform bugs to Microsoft at the end of August. The tech giant addressed the issue at the end of October through an automated update. Source: The Daily Swig
The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Source: ZDNet
November 24, 2020 – Web application attacks have increased by over 800%, according to the State of the Web Security for H1 2020 report.
Published by CDN and cloud security provider CDNetworks, the report found that during the first half of this year, web application attacks, which use malformed requests or injected payloads to steal data, modify data or obtain privileges illicitly, increased nine times relative to H1 2019.
CDNetworks saw and blocked over 4.2 billion web application attacks during H1 2020. Source: ITPro
November 23, 2020 — Facebook has fixed a critical flaw in the Facebook Messenger for Android messaging app. Natalie Silvanovich of Google’s Project Zero reported the bug to the Facebook bug bounty program. The bug could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser). Source: Security Magazine
November 6, 2020 — Just days after Google disclosed an actively-exploited bug in Windows and discovered and squashed two zero-day bugs in its Chrome web browser, Apple has released patches of its own to fix three zero-day vulnerabilities under active attacks. The trio of flaws, affecting a broad range of Apple’s products, also happened to be unearthed by the bug-hunting crew of the Alphabet-owned company. Source: Welivesecurity
October 21, 2020 — Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today.
Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers. Source: The Hacker News
October 16, 2020 — Microsoft has published today two out-of-band security updates to address security issues in the Windows Codecs library and the Visual Studio Code application.
October 5, 2020 — The cloud was already a big topic before the pandemic started and pushed organizations to adopt the cloud more quickly than originally planned. But the pandemic has pushed many organizations to deploy and update applications sooner than expected to support the increased number of employees working from home. Source: Security Boulevard
September 25, 2020 — The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) recently issued a Risk Alert (the “Alert”) discussing cybersecurity observations from its examinations over time. The Alert did not state the time period of examinations included; however, OCIE has conducted several cybersecurity targeted exams over recent years. Source: Security Magazine
September 24, 2020 — Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said this morning.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” the company wrote in a series of tweets. ZDNet
September 17, 2020 — Cyber attack confirmed – security gap in widespread software enabled access – recovery proceeds step by step.
Since last Thursday (September 10th) the IT system of the University Hospital Düsseldorf (UKD) has been largely disrupted. Therefore, the UKD is still deregistered from emergency care and patients with appointments should contact the treating department to coordinate. Source: UKD
July 22, 2020 – Roundcube is urging users to update their installations to resolve a security vulnerability that can be exploited to conduct stored, or persistent, cross-site scripting (XSS) attacks.
July 14, 2020 – Analysis of the Alexa top 1000 websites has revealed a troubling lack of security controls required to prevent data theft and loss through client-side attacks. Source: Info Security Magazine