Microsoft has issued patches for more than 60 flaws this month, including six zero-day vulnerabilities that are already being targeted by hackers.

As part of this month's "Patch Tuesday", Microsoft listed 58 vulnerabilities in its own software, as well as four in other tools, including Chromium.

While this number of flaws isn’t out of the ordinary, security expert Dustin Childs noted that the volume under active attack is “extraordinarily high”.

"Microsoft lists six bugs being exploited at the time of release, with three of these listed as publicly known."

Of the six zero-day flaws, five are rated as important and one moderate, rather than the more serious critical. As such vulnerabilities are already being targeted by hackers in the wild, quick patching is advised.

One targets Microsoft Word, allowing attackers to bypass local security features to access advanced control settings and possibly allow code execution. However, as Microsoft noted: "An attacker must send a user a malicious Office file and convince them to open it."

Another security feature bypass flaw being patched also requires user interaction, with a malicious link or shortcut file clicked before the attacker can make use of this bug to slip in.

"Successful exploitation lets the attacker suppress or evade the usual “are you sure?” security dialogs for untrusted content, making it easier to deliver and execute further payloads without raising user suspicion," said Malware Bytes security researcher Pieter Arntz in a blog post.

While users need to be tricked via a malicious link, Childs noted: "Still, a one-click bug to gain code execution is a rarity."

Other zero-day flaws being addressed by Microsoft include a denial of service bug targeting Windows Remote Access Connection Manager, an elevation of privilege vulnerability in Windows Remote Desktop Services, and a bug in Desktop Window Manager.

The last of the six zero-days affects Internet Explorer – though it may be long gone as a browser, it still lingers in Windows. Once again, users need to be fooled into clicking a malicious link to enable this attack.

"The bypass here is simply the ability to reach IE, which shouldn’t be possible," noted Childs, adding that calling IE "always results in a vulnerability somehow."

Patches issued for Azure, GitHub Copilot flaws

The remaining flaws patched by Microsoft included a trio of critical bugs spotted in Azure as well as vulnerabilities that could allow remote code execution in GitHub Copilot.

These flaws all center on a command injection vulnerability, noted Kevin Breem, senior director for cyber threat research at Immersive Labs, and can be triggered via prompt injection.

Breem said this could allow a hacker to embed a malicious prompt that's triggered when a developer uses an agent workflow, potentially slipping past existing security restrictions to run code or commands.

That's particularly problematic as developers may have access to sensitive data such as API keys, he added.

"Coupled with organizations enabling both developers and automation pipelines to use LLMs and Agentic AI with the right prompt, an attacker could have a significant impact," he noted.

"This is not to say stop using AI, but to ensure developers understand the risks and identify what has access to AI Agents, and lastly, least privilege can limit the impact if a developer's secrets are compromised."

FOLLOW US ON SOCIAL MEDIA

IBM has issued patches for four major flaws in IBM AIX and VIOS that allow a remote, unprivileged attacker to achieve arbitrary command execution on an exposed IBM Network Installation Manager (NIM).

The four vulnerabilities, tracked as CVE‑2025‑36250, CVE‑2025‑36251, CVE‑2025‑36236, and CVE‑2025‑36096, affect IBM AIX 7.2 and 7.3 as well as IBM VIOS 3.1 and 4.1 environments, with three of the four receiving a critical CVSS score.

All four flaws allow an attacker to 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in broader environments, according to an advisory from Mondoo.

“These four vulnerabilities on IBM AIX present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are)," said Patrick Münch, Mondoo CSO.

"This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment."

How the IBM flaws work

CVE-2025-36250 carries a 10.0 CVSS score and affects the NIM service by allowing remote arbitrary command execution through improper process controls.

Researchers warned that an attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network.

Similarly, CVE‑2025‑36251 allows remote arbitrary command execution through improper process controls, affecting the SSL/TLS implementation in the NIM service.

With a critical CVSS score of 9.6, it could be used by a remote attacker to execute commands on the system, potentially without authentication. This could lead to a compromise of system integrity, data loss, or service disruption.

CVE‑2025‑36236, meanwhile, is a path-traversal vulnerability in the NIM service, allowing a remote attacker to send a specially crafted URL request to traverse directories or write arbitrary files on the system.

Researchers noted this could allow an attacker to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells to facilitate further exploitation.

This particular flaw carries a CVSS score of 8.2, ranking it as high severity.

Finally, CVE‑2025‑36096 is a vulnerability in credential storage with a CVSS score of 9 (Critical). NIM private keys in IBM AIX are stored insecurely, meaning these can be accessed by an attacker via man-in-the-middle (MitM) techniques.

An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.

Worst case scenarios

Researchers point out that, in combination, the four vulnerabilities could allow attackers to gain full access, impersonate services, move laterally, and persist or compromise broader network environments.

Moreover, the use of the operating system is widespread in critical industries, meaning the impact of a successful attack could be devastating.

"What makes this even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential," said Münch.

"Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”

MORE FROM ITPRO

• Patch management: Why firms ignore vulnerabilities at their own risk
• Threat actors are exploiting flaws quicker than ever – here's what business leaders should do
• Everything you need to know about patch and vulnerability management

Most organizations are failing to remediate critical vulnerabilities quickly enough, with nearly seven-in-ten saying it takes them more than 24 hours.

According to new research from Swimlane, fragmented data from multiple scanners, siloed risk scoring, and poor cross-team collaboration means organizations are increasingly exposed to breaches, compliance failures, and financial penalties.

Michael Lyborg, CISO at Swimlane, said this confluence of issues and the “growing complexity” of vulnerability management has prompted a widespread rethink of how enterprises approach dangerous flaws.

"It’s no longer just about patching vulnerabilities — it’s about prioritizing the ones that matter most to your operations. With businesses losing an estimated $47,580 per employee each year due to manual tasks, organizations can no longer afford to operate in the reactive mode of the past."

The main reason for failures in prioritization is a lack of context or accurate information, cited by 37%, with 35% saying that's the primary reason for delays in fixing vulnerabilities too.

More than half of organizations still lack a comprehensive system for vulnerability prioritization. And while nearly half (45%) use a hybrid approach combining manual and automated processes for vulnerability detection, seven-in-ten rely on tools like cloud security posture management, and a similar number use web application scanners.

These manual processes are using up significant resources, the study noted, with 57% of security teams dedicating between a quarter and half of their time to vulnerability management operations.

More than half spend over five hours a week consolidating and normalizing vulnerability data, while a similar number said the limited usefulness of scanner results means they need to use additional tools and processes.

Nearly two-thirds said they weren't confident that their vulnerability management programs can meet regulatory audit requirements, and 73% expressed concern over potential fines.

Similarly, six-in-ten reported that siloed vulnerability management practices are creating inefficiencies and exposing their systems to potential security risks.

"Smarter prioritization and automation are no longer optional — they are essential to reducing vulnerabilities, preventing breaches and ensuring continuous compliance," said Cody Cornell, co-founder and chief strategy officer at Swimlane.

"By blending intelligent automation with human expertise, vulnerability management teams gain the clarity they need to act decisively. Centralizing data and responding in real-time isn’t a luxury — it’s a business imperative that minimizes risk and frees up time to focus on the next challenge."

Last year, researchers at Black Duck found that the utilities sector was the worst performer in dealing with security flaws, with an average of 876 days to close critical vulnerabilities in medium-sized sites. The education sector was also slow.

Perhaps because of the sector's heavy regulation, healthcare organizations were quicker to act, with an average of 87 days to close critical security vulnerabilities for small sites, 30 days for medium sites, and 20 days for large sites.

Microsoft has issued a rare rebuttal to recent criticism of its alleged "negligent" security practices and approaches to patching security vulnerabilities.

Last week, Tenable chief executive Amit Yoran published a scathing critique of the company, suggesting that the firm’s “lack of transparency” and “irresponsible security practices” have exposed customers to undue risk. 

Yoran said Microsoft has a history of deliberately keeping customers in the dark with regard to security vulnerabilities and that the company should be held accountable for its conduct. 

His comments followed similar criticism of the tech giant from a US senator in the wake of a Chinese cyber espionage incident that saw emails belonging to government officials accessed by threat actors. 

A key talking point within Yoran’s claims centered around the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable contends that it informed the tech giant of the issue in March this year, however, Yoran revealed it took several months before the firm issued just a “partial fix”. 

This, he argued, represented a severe risk to customers using Microsoft services and amounted to a negligent approach from the firm. 

Microsoft strongly disagreed with the claims. In a statement on Friday, the tech giant said that its approach to remediating this vulnerability was based on long-established practices. 

“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing,” Microsoft said. 

“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”

Microsoft said that “moving too quickly” in response to certain vulnerabilities could result in “more disruption than the risk customers bear” from a security vulnerability. 

With this in mind, Microsoft’s lengthy approach to remediating this vulnerability does not amount to negligence, but rather a conservative, measured approach to appropriately patch a flaw and avoid any undue disruption for customers due to a botched fix.  

“The purpose of an embargo period is to provide time for a quality fix,” the firm said. “Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”

The flaw uncovered by Tenable in March was officially patched on 2 August, Microsoft went on to confirm.  

Similarly, an investigation into the vulnerability revealed that only a “very small subset” of customers were affected, and thus was deemed low risk. 

The Canonical Kernel Team is abandoning its update cadence in favor of a four-week cycle, and will add an additional update every two weeks for the most urgent fixes.

A move to a four-week cycle with a midpoint update will result in regular upstream stable updates, including security patches, bug fixes, and feature requests coming every four weeks. Critical fixes that can’t wait will arrive on a two-week cadence.

In the past, the Canonical team worked to a three-week kernel update cycle. This, according to Kleber Souza, Linux kernel engineering manager at Canonical, made for reasonable responsiveness but was “prone to interruptions from urgent CVEs, urgent customer requests and regressions found in -updates or during testing.”

The result was that the cycle tended to be extended, and delivering CVE fixes promptly was challenging.

Souza noted that OEM kernels would follow a more flexible schedule in terms of their deadlines for the acceptance of new patches.

Ubuntu is one of the most popular Linux distributions, and the changes will interest engineers charged with maintaining fleets of hardware running the operating system - on-premises or in the cloud - in light of the pace of vulnerability discovery and patching.

The move was described by one user on the company’s forums as “ambitious” and comes in the wake of a relatively easy-to-exploit privilege escalation vulnerability disclosed recently.

The vulnerability in the OverlayFS module used in Ubuntu was documented in CVE-2023-2640 and CVE-2023-32629 and was exclusive to the operating system following changes made by the Canonical team in 2018.

CVE-2023-2640 permits an unprivileged user to set privileged extended attributes on mounted files. CVE-2023-32629 is a local privilege escalation vulnerability where permission checks are skipped.

Those changes only became an issue in 2020 when a security vulnerability patched in the Linux kernel did not make it into Ubuntu due to the earlier changes.

One report stated that the vulnerability could affect 40% of Ubuntu cloud workloads. Ubuntu fixed the vulnerabilities on 24 July 2023, and users were instructed to update their kernels.

With the revised cycle schedule, Souza said: “The Canonical Kernel Team is expecting to deliver more predictable updates with quicker turnaround for time-sensitive fixes”.

Companies of all sizes are starting to see the benefits of bug bounty programs. Big tech firms including Facebook, Google, Microsoft, and Apple have such a program in place, while ChatGPT owner OpenAI recently unveiled such a scheme. 

At a time when breaches are hitting businesses of all sizes, adversaries are constantly probing for security weaknesses through which to attack. Bug bounties help to address this issue at the source, with researchers finding vulnerabilities before they can be used in real-life attack scenarios.

Bug bounty prizes can be huge, with firms such as Google paying out as much as $600,000 to those who find serious holes in its products. While it might seem like a big outlay, advocates point out that the expense is still smaller than regulatory fines and reputational damage caused by a data breach.

What different types of bug bounty program are there?

Bug bounty programs are typically either public or private. “A public bug bounty is usually listed on sites such as HackerOne and Bugcrowd, or in some cases on the company’s own website,” Joshua Hickling, managing consultant at Pentest People, explains.

A private bug bounty is only joinable via invitation, usually based on the researcher’s reputation. For example, those able to find pertinent, exploitable bugs consistently will be invited to private programs, Hickling says.

An organization sets the rules of engagement for its bug bounty program, including assets in and out of scope, types of vulnerabilities, permitted testing methodologies, and reward structure. “Hackers can test for vulnerabilities that elude security teams and cannot be discovered by automated scanning tools,” says Kayla Underkoffler, lead security technologist at HackerOne. 

Among the advantages, programs can be effective very quickly. According to Underkoffler, over 75% of new bug bounty programs on the HackerOne platform receive their first valid vulnerability report within 24 hours.

They can benefit firms of any size, but larger organizations that operate complex networks or handle large amounts of sensitive data are more likely to get value out of a program, says Cezary Cerekwicki, head of product security at browser maker Opera. “The larger an organization and a network, the greater the danger that vulnerabilities might go undetected.”

Large firms are a bigger target for adversaries, so a bug bounty offer might even persuade “unethical hackers” to probe for weaknesses with permission, says Leon Teale, a senior penetration tester at IT Governance. “In exchange, they could receive gifts, cash, notoriety, or honorable mentions,” he suggests.

Michael Adams, CISO at Zoom says the company’s bug bounty program hosted on the HackerOne platform helps the firm “proactively mitigate risk and create a safer environment for our customers”. 

It can be challenging for companies to identify edge-case vulnerabilities or anomalies that only occur in certain circumstances, says Adams. “That’s where the ethical hacker community can perform a vital function in the continuous testing and probing of technologies. In many cases, they can help organizations save time and money by identifying certain security issues before they become a bigger problem.”

Are bug bounty programs worth the cost?

The cost of running a bug bounty program can vary, but experts say the outlay is worth it. There are two components to the cost: the first is the platform fee, if you use one, with firms such as Bugcrowd or HackerOne offering the service a SaaS subscription model.

“This is what we charge for connecting organizations that want to run a program with ethical hackers, triaging the results and verifying they are legitimate vulnerabilities – as well as handling payments to the hacker community,” says Dave Gerry, CEO of bug bounty platform Bugcrowd. 

The second cost is the bounties themselves – which according to Gerry, is set by the market. “If a company’s bounty rates are too low, it will struggle to attract ethical hackers to work on the program.”

You do not have to pay, with some companies purely offering an honorable mention or some “swag” in return, says Teale. “Offering a ‘kudos’ can still be helpful to those who would like to gain recognition through this exposure – although paid bounties will always attract more testers,” he says.

The value of the bounty is usually paid based upon the seriousness of the issue, with low severity flaws seeing bounties of anywhere from $0 to $50 and critical issues in some cases exceeding $100,000, says Hickling. “If a vulnerability is identified which could result in the leak of personally identifiable information, paying a $100,000 bounty far outweighs the potential GDPR fines a business could be hit with.”

How to implement a program in your business

The benefits of having a bug country program are clear, but there can be challenges when implementing one. 

Scoping is important, says Gerry. “To make them manageable, projects are usually targeted at a specific online asset that has already been tested internally. This prevents organizations from exposing themselves to unexpectedly high levels of cost and stops them from being over-run with reports of vulnerabilities.”

It’s also important that firms are ready and able to take remedial action when flaws are discovered, he adds. At the same time, it’s key to match the skills of ethical hackers with the type of assets to be tested, he says. 

But it can be difficult to identify the true impact of vulnerabilities. While an outside researcher might believe they’ve identified a major flaw, companies often have many defenses and mitigations already in place that are not shared externally, says Adams. 

With this in mind, Zoom is rolling out a “Vulnerability Impact Scoring System” to measure the impact of flaws, and pay researchers for the best bugs. 

Before introducing a bug bounty program, it’s important to consider the business objectives, says Adams. “These will help determine the scope of the program, whether it runs as private or public, and the rewards system. It may attract a range of participants from beginner bug bounty hunters to full-time professionals.”

Zero trust strategies are one in which nothing and nobody can use an organization’s digital resources without being verified. This isn’t just about verification upon entry into the system, but also when individuals are moving around within the system.

Such a strict regime is required because a cyber criminal or an automated agent might breach a system and move about freely within it if, once inside, there were no verification checks. Zero trust has, therefore, become a gold standard for cyber security in today’s enterprise landscape. 

Implementing zero trust requires a root and branch examination of the entire technology estate. The organization needs to identify its vulnerabilities, both technological and human, and figure out how to best plug the holes. This should be done in the context of minimal disruption to everyday workload, and an understanding that zero trust is not a one-time fix but an evolving idea. 

Implementing such a regime, however, isn’t without its potential pitfalls and pain points. It’s a time-consuming and complex process that requires input from many roles across the organization, as well as external expertise. 

1. Failing to look beyond the corporate network

When hybrid working is the norm, people will be using all manner of locations to work including their homes and public networks. Everything is part of the attack surface and the organization should trust nothing. Every endpoint is a potential vulnerability. 

This also, by the way, includes devices that might sit outside the network such as printers, security cameras, and other Internet of Things (IoT) devices.

A thorough audit of devices will be required before work begins, with a strategy in place to protect each device and to ensure that each device is updated as regularly as needed. 

2. Implementing zero trust too quickly

Implementing a Zero Trust approach might require significant changes to technologies and also to how people go about their daily business. Go too fast and it’s easy for mistakes to happen. Single devices or applications might slip through the net of compliance assurance at the time of implementation or later. Security hygiene – ensuring that all hardware and software is up to date and patched – is a central aspect of zero trust.

Ensuring every piece of hardware and software is known and its security can be optimized at all times takes time. It is important to allocate enough time to managing everything from the outset, and to develop processes for ensuring existing and new acquisitions are accommodated going forward. 

3. Ignoring the principles of least privileged access

Least privileged access refers to the policy of ensuring users only have the bare minimum permission level to do what they need to do. It’s designed to keep access to resources tightly controlled and prevent the kind of sprawling access through systems that can be most helpful to bad actors. 

However, it can be difficult to implement, particularly in the case of multi-cloud environments in which data and apps are hosted with different providers, each with different policies and security protocols. In the end, budget, available time, and sheer workload can mean in-house teams assign wider privileges than necessary.

Using a class of software called entitlement management, or cloud infrastructure entitlement management, access to a multitude of software, systems, devices, and cloud platforms can be managed centrally. 

4. Failing to focus on users

An organization’s employees are not the only stakeholders it’ll have to work with. There may also be contractors, suppliers, purchasers, delivery partners, and others. Presenting users with new protocols, hoops to jump through, and processes – without understanding whether these are seen as barriers – can cause resentment and foster non-compliance strategies. Users who work around security protocols are users who create risk. 

High-quality user education on how to achieve compliance with security protocols is only part of the solution. People must also understand why certain behaviors are required, and be comfortable with any required actions or approaches. Creating a ‘culture of security’ across the organization takes time, effort, and leadership – from chief officers, senior managers, and line managers. 

5. Assuming zero trust is bought into by default

Every organization is different. Its technology setup will be unique. How people use technology will vary too. Where its people work will vary too, including in-office, remote or hybrid, one city, with national offices, or multinational. The variables are many and complex. While certain principles and approaches apply to zero trust, their implementation in any one organization will be unique. Simply going to a vendor and expecting them to do everything without any input is a fallacy.  

Organizations need to commit their own staff resource to work alongside vendors and understand that the implementation of zero trust will take time. This is and will continue to be an ongoing process.

With cyber attacks showing no signs of slowing down, and with organizations of all sizes and in all markets potentially vulnerable, securing data and networks is paramount. It’s no longer adequate to take a piecemeal approach to this challenge. A zero trust approach can help an organization implement a risk-based strategy toward data security. It isn’t without pitfalls, and organizations should be alive to these, and willing to commit the time and energy required to work them through. 

Microsoft’s April 2023 Patch Tuesday delivered not just the usual score of security fixes for Windows admins, but also a new feature that has attracted criticism from the IT community.

The Windows 11 22H2 KB5025239 cumulative update, among other fixes and features, delivers the new Windows Local Administrator Password Solution (LAPS) to IT teams managing both on-prem and cloud environments.

Microsoft LAPS manages and backs up local admin account passwords on Azure Active Directory-joined devices. 

It’s seen as one of the most secure ways to ensure unauthorized users aren’t able to access things they’re not supposed to.

The new LAPS is available for Windows 10&11 Pro, EDU, and Enterprise versions, as well as Windows Server 2022, Windows Server Core 2022, and Windows Server 2019.

LAPS for Azure AD is not yet available. It’s now bundled into Microsoft Entra - the name given to Microsoft’s identity and access products that can be managed through a single portal.

The Azure AD version of LAPS is expected to go from private to public preview “later this quarter,” said Jay Simmons, development lead at Microsoft, and will deliver new features such as password encryption, password histories, an emulation mode, and automatic rotation.

“Windows LAPS is a huge improvement in virtually every area beyond Legacy LAPS,” he added.

Online IT admin communities have not greeted the news as warmly as expected.

The main issue among these communities relates to concerns over how to migrate. 

The new LAPS feature has been released but Microsoft has not supplied the community with any documentation detailing how to complete the migration.

Some professionals have already encountered issues where the new LAPS has stopped working due to nuances in the migration process. 

The prevailing advice is to stop deploying the legacy LAPS MSI immediately after the April Patch Tuesday update is applied. 

Failure to do so reportedly breaks the new LAPS and prevents legacy LAPS from updating passwords.

“You need to update documentation and guidance very soon,” one user told Simmons in an online discussion.

“I hate spending my day discovering something that is about to hit 100,000 of our machines doesn't have guidance, and we have to action something,” they added.

“If migration docs aren’t available yet, [why] was this released,” another asked. “This tells me that documentation, upgrades, and coexistence, were not given any priority - which is bloody shocking but given how Microsoft pushes stuff out the last few years, I suppose it really shouldn’t be any more.”

Simmons responded to users by saying that he “should have been better prepared” to allay the global community’s concerns.

“New Windows LAPS has been designed to be an almost entirely opt-in feature, using a separate brand new GPO policy and separate brand new AD schema attributes, which – at least to my Microsofty-mind – mostly mitigates the risk of applying the patches to existing environments,” he said.

“But regardless yes we should have preemptively called this out in the post so as to not scare folks.”

Error-strewn Patch Tuesday releases are becoming something of a commonality from Microsoft, with the monthly updates often presenting major issues for IT teams.

Most recently in last month’s March Patch Tuesday updates, IT admins complained about a variety of problems after installing patches for an Outlook zero day.

Windows 10 users were hit with the infamous blue screen of death after installing December’s updates, and around a year earlier IT admins were forced to ignore the security fixes for a month as a result of the rampant issues reported by the community.

April 2023 Patch Tuesday Summary

Microsoft’s April 2023 Patch Tuesday brought fixes for 97 total security vulnerabilities including seven critical-rated flaws and one zero day that’s been actively exploited by a ransomware group.

Tracked as CVE-2023-28252, the privilege escalation vulnerability in Windows Common Log File System (CLFS) Driver grants SYSTEM-level privileges if successfully exploited.

Kaspersky identified exploit attempts dating back to February 2023 that it said were very similar to other types of exploits it had been tracking. 

The team investigated and discovered that it was a zero day affecting different versions of Windows, including Windows 11.

The Nokoyama group is described as “sophisticated” and used a newer version of its ransomware payload, which has historically been a rebranded version of JSWorm. Now written in C with encrypted strings.

In previous attacks, Nokoyama has also deployed the Cobalt Strike penetration testing tool to evade antivirus products, and a custom modular backdoor called Pipemagic in other attacks.

Kaspersky said it believes “CVE-2023-28252 could have been easily discovered with the help of fuzzing” - a technique that sees automated injections of invalid or unexpected inputs into a target system to reveal security vulnerabilities.

It said that the clfs.sys driver extensively uses try/catch blocks to handle exceptions, so code continues to execute as if no errors were thrown. 

Kaspersky’s analysis showed that a possible access violation that follows after the vulnerability is triggered was masked by one of these exception handlers, and because there was no crash, fuzzers were most likely ‘finding’ the vulnerability but not reporting it as a potential issue.

April 2023 Patch Tuesday breakdown

This month’s 97 security fixes slightly exceeded March’s total of 83, with the overall count not including the 17 Microsoft Edge issues patched on 6 April.

All seven of the critical-severity vulnerabilities were remote code execution (RCE) flaws.

The two most serious of which, CVE-2023-21554 and CVE-2023-28250, affecting Microsoft Message Queuing and Windows Pragmatic General Multicast (PGM) respectively, both scored a near-maximum 9.8/10 on the CVSS v3 severity scale.

Four RCEs were also found in Microsoft Office, Microsoft Word, and Microsoft Publisher, and were exploitable by opening malicious documents.

All four were categorized under “exploitation less likely” by Microsoft. This classification is designated to vulnerabilities for which attackers would either have difficulty writing the code, require expertise and/or sophisticated timing, or would experience varied results when testing the vulnerable target.

These flaws are also not recently exploited in the wild but given the potential impact of successful abuse, the vulnerability warrants an update regardless.

The full breakdown of the vulnerabilities’ types can be found below:

• 45 remote code execution
• 20 elevation of privilege
• 10 information disclosure
• 9 denial of service
• 7 security feature bypass
• 6 spoofing

Microsoft's full dashboard of the month’s updates can be found on its website.

The Australian Cyber Security Center (ACSC) has cautioned organizations that hackers are actively exploiting a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP).

Successful exploitation of the vulnerability (CVE-2021-42237) results in remote code execution that “could allow an internet-based actor to install malware/ or webshells and perform other actions”, ACSC said in a statement.

“The ACSC is aware of active exploitation of this vulnerability in Australia,” it added.

Sitecore XP is a content management system (CMS) that combines customer data, analytics, artificial intelligence (AI), and marketing automation capabilities. This CMS is used heavily by enterprises, including many of the companies within the Fortune 500. The company rolled out a patch for the flaw in October.

“The vulnerability is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file," Sitecore said in a security advisory. "This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release."

The firm added that the vulnerability applies to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc.), which are exposed to the internet.

According to Mitre’s CVE website on the flaw, Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is “vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.”

The flaw was first picked up by security researchers at Assetnote. Shubham Shah, co-founder, and CTO of Assetnote, said that while investigating the Sitecore product and its source code, his team found that the code does not require any authentication.

Shah added to remediate this vulnerability, admins can remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/. He said that in performing offensive security source code analysis his team often discovers there are critical vulnerabilities in enterprise software that are incredibly easy to exploit.

“The apps that we have been auditing are complex, however, the vulnerabilities are quite simple. With a concerted effort in taking apart these enterprise apps, we are able to discover critical vulnerabilities, after understanding the attack surface,” he said.

Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.

Oracle has been forced to issue an out-of-band patch to fix a critical remote code execution (RCE) flaw affecting multiple Oracle WebLogic Server versions.

The vulnerability, tracked as CVE-2020-14750, could enable hackers to remotely exploit the server via a HTTP GET through the server's console component, without any user interaction and may be exploited over a network without the need for a username and password.

"Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle explained in an https://www.oracle.com/security-alerts/alert-cve-2020-14750.html advisory.

The advisory said that the supported Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.

Proof-of-concept code that could exploit the bug was made public on GitHub. According to security firm Spyse, around 3,300 WebLogic servers are exposed at the moment and could be vulnerable to the flaw.

In a blog post, Eric Maurice, director of Security Assurance at Oracle, shared a link to help users harden affected servers.

He also said that the vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. That particular flaw could enable hackers network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) also warned users about the dangers of the vulnerability and encouraged administrators to apply the patch as soon as possible.

Software giants will release fixes for hundreds of bugs in unison for the second time this year, at a time when IT teams are already under pressure from mass adoption of remote working and surging cyber crime.

The forthcoming Patch Tuesday, on 14 April, will see as many as 500 vulnerabilities released by the likes of Microsoft and Oracle, causing a phenomenon dubbed the ‘Fujiwhara effect’. Such a security event is ordinarily rare, with the last one before 2020 occurring in 2014.

This year has been no stranger to coordinated bug fixes, with next Tuesday representing the second ‘Fujiwhara effect’ in 2020, according to Risk Based Security. This is in addition to a third event scheduled to hit on 14 July.

Such coordination of bug fixes poses a challenge for security teams, who must analyse and prioritise hundreds of disclosures before remediation can even begin.

This coming Tuesday may see as many as 300 to 500-plus fixes released, according to forecasts. This is significantly higher than average, with roughly 60 flaws published per day, normally.

This latest onslaught will also come at a time when employees have begun working from home en masse, and cyber criminals have been empowered by the COVID-19 pandemic to ramp up activity significantly.

“Even for large organizations, processing these new “Patch Tuesday” disclosures can take weeks, and that’s with a well-funded and coordinated team,” said Risk Based Security. “The hours required for IT security teams to collect, analyze, triage, and then address the coming vulnerabilities will be considerable.

“If there wasn’t enough going on already, organizations must somehow manage the coming Vulnerability Fujiwhara Effect despite the current business disruption and pressure on security budgets.”

The ‘Fujiwhara effect’ in meteorology is known as an extreme weather event in which two massive hurricanes collide or merge.

The last cyber security ‘Fujiwhara effect’ on 14 January, saw more than ten major software players participate, including Adobe, SAP, Schneider Electric, VMWare, Intel, as well as Oracle and Microsoft, among others.

The release of so many patches at once, numbering more than 300, saw IT and security teams across the world scramble to implement updates to their business-critical systems.

Among these fixes was a Microsoft-developed patch for an "extraordinarily serious" cryptographic flaw anchored in the crypt32.dll Windows component, with organisations like the US military given advanced access to the fix.

Winding forward some months, organisations are facing greater challenges than arguably ever before, in terms of the economy and the labour market, not to mention cyber security threats increasing significantly over the last few weeks.

The UK’s National Cyber Security Centre (NCSC) this week issued a joint-warning with US cyber security authorities warning businesses of a surge in cyber criminal activity, most of which was attempting to exploit the coronavirus pandemic.

Regular patch deployment is one of those things that we all know we should do, but the hassle of patch management can often mean we don't do it as regularly as we could. Patch management is often a struggle for businesses faced with a seemingly never-ending stream of updates, both for Microsoft's Windows software and for sundry other business applications.

Avast comes to the rescue; its Business Patch Management (BPM) solution aims to provide centralised cloud management of patches for Windows endpoints from a single web console. Not only does it manage all Windows systems, but it supports over a thousand third-party apps, allowing you to ditch all your disparate update processes and bring them under one roof.

BPM lets you decide when to scan for updates and set schedules to determine the time they should be deployed so you can minimise their impact on business operations. Updates can be reviewed, you can use settings templates to control how endpoints are restarted, and even choose to ignore specific ones.

Avast Business Patch Management review: Deployment

The first thing you need to be aware of is that BPM is an add-on enhancement to Avast's Business Antivirus, so you can't currently use it separately and will have to purchase an Antivirus subscription in addition to a BPM plan. We raised this with Avast and it advised us it is in the process of splitting the two products apart as a future feature.

Before using BPM, you'll need to configure your Windows systems to stop automatic updates and Avast provides help on its support site showing various methods, including using Group Policy Object (GPO). Hardly elegant, but Avast also told us it will be implementing a feature in the console that allows automatic updates to be remotely disabled on systems with the Avast software installed.

Deployment is a swift process; you can simply create a custom installer utility from the console and send it to your endpoints. Delivery methods include copying it to endpoints and installing it manually, emailing a download link to users or linking up with Active Directory and using a master agent to automate the process.

Advanced installer options allow it to be customized further for Windows workstations and servers. Endpoints can be placed in different groups, each with their own settings template that determines what AV components to install (there are a lot) plus patch management scan and deployment schedules.

Avast Business Patch Management review: Product evolution

We've been testing BPM in the lab for three months and initially found an alarming number of issues that were cause for concern. These included patches being scheduled but never deployed, endpoint reboot tasks constantly being created, some third-party apps failing to update and the original dashboard patch status widgets being very uninformative.

During this time, we've been in regular contact with Avast's development team, although we're unsure whether regular customers would have received the same level of support. That said, rather than being ignored, we've seen many of our criticisms being resolved and our suggestions being implemented.

The patch management dashboard widgets have been improved so the device summary provides hot links for pulling up quick views of vulnerable systems and those in danger. Rather than presenting a static status table, the patch summary widget now has direct links to systems with issues and the task list can be updated at will with a filter for sorting them into chronological order.

Most third-party apps installed on our test systems were updated successfully and included the latest Office and Adobe apps plus all popular web browsers - Avast provides a downloadable list which currently shows more than 1,200 supported apps. Some less common apps such as the FileZilla 4 FTP client had to be updated manually and Java updates aren't currently supported, due to Oracle changing its Java patch download processes.

We highlighted the latter to Avast which plans to add a console link that will allow Java patches to be manually uploaded for distribution by BPM. Despite these glitches, BPM's support for the majority of common business apps will make it easier to manage their updates from one console.

Avast Business Patch Management review: Management console

Avast's cloud console is very informative; the dashboard provides an overview of protected systems with an unmissable banner across the top that alerts you when systems are deemed vulnerable or in danger. The interactive patch widgets keep you posted on endpoint update status while below are two charts that focus on installed AV components and detected malware threats.

Notifications are posted in date order and, where relevant, will have a link alongside that takes you straight to the affected system for a closer look. The device list can be filtered to show those with patch-related issues and endpoints have colour-coded icons for easy status identification.

The Device Settings page is where you create templates to control BPM agent behaviour. You can choose daily, weekly or monthly patch scan schedules, opt to deploy them immediately or at a specific time, control how and when endpoints are restarted and permit users to postpone or cancel the reboot.

You can view patch deployment status and apply filters to fine-tune the information while a drop-down menu for each patch allows you to force deployment, ignore it or roll it back on a specific endpoint. Avast provides a set of graphical reports so you can check on patch deployments, see systems that have failed tasks or missing patches and check on patched applications.

Avast Business Patch Management review: Verdict

Avast's Business Patch Management is clearly a work in progress although the number of updates pushed out during our test period shows plenty of commitment. At its foundation, BPM's centralized cloud console and myriad deployment controls look capable of bringing order to Windows patch-related chaos and its support for third-party app updates makes it more versatile than classic products such as Microsoft's WSUS (Windows Server Update Services).

However, it isn't a smart move tying BPM in with Avast's antivirus products as this could easily double acquisition costs. Businesses that like the look of BPM but already have a preferred AV vendor other than Avast will need to wait until it is available as a standalone product.

Verdict

Despite myriad hiccups, Avast takes the pain out of desktop patch management - although it’ll be much better value when it’s a standalone solution

Cyber security is always going to be a number one issue for any organisation, and one of the most effective ways of protecting a business is to deploy and maintain robust patch management and vulnerability management policies.

However, there exists some confusion around the scope of each term, and it’s not unheard of for patch management and vulnerability management to be used interchangeably, despite being distinctly different processes.

Simply put, patch management is the systematic process of applying software updates to address specific flaws. Although there are commonalities, patch management is a far narrower category than vulnerability management, with the former being just one part of the latter.

Vulnerability management concerns itself more with the establishment of a framework designed to combat vulnerabilities across an organization, with patch management being one of a number of processes deployed to achieve this.

As vulnerability management is considered a much broader field than patch management, the steps needed to create an effective strategy are far more nuanced and incorporate a larger number of stakeholders.

We explain the key differences between vulnerability management and patch management below, and break down the importance of each.

What is patch management?

Patch management is the process of updating all software within a company, using the most current versions released by the manufacturer, in order to fix bugs that have been discovered after release. This includes enterprise-level products like server operating systems and database products, as well as more basic tools like Internet Explorer and Adobe Flash.

Patch management can be done manually on a machine-by-machine basis, but it's much more commonly performed using centralised management tools. This can involve dedicated patch management software, which allows IT teams to set policy-based rules for the automatic application of patches. These can be scheduled around business hours to ensure that patch application results in minimal downtime and loss of productivity.

Why is patch management important?

Unpatched systems are one of the easiest attack vectors for criminals looking to gain access to corporate networks. Hackers and security researchers are constantly discovering new vulnerabilities, and companies are constantly issuing patches to deal with them. If those patches are not applied, however, cyber criminals have an easy entry point into your networks.

Patch management also ensures that all your enterprise equipment keeps working as it should. Technology is a notoriously fickle beast, and even minor software bugs can lead to major headaches and plummeting employee productivity. Timely application of patches ensures that any potential problems can be resolved as soon as possible before the cost of downtime starts to get out of control.

Knowing when not to apply an update can be just as important for good patch management, however. New software updates can cause compatibility issues between different systems or can introduce new bugs of their own. Good patch management often involves making a judgement call on whether the security benefits of installing a potentially buggy patch outweigh the inevitable downtime.

What is vulnerability management?

Vulnerability management gives a business an overview of your security posture as a whole. It gives you a sense of which areas of your infrastructure are most at risk, which allows you to not only prioritise security remediation but also helps inform future IT investment.

There are a variety of models available for deploying vulnerability management, with a differing number of steps depending on the one you choose. However, generally they all include four main steps. First of all, there’s the scan, then assessment of risk, followed by the prioritisation of vulnerabilities, before the final step of continuous management.

Scanning / discovery

The first phase, discovery, involves assessing all assets across the breadth of your IT infrastructure, including servers, laptops, printers, screens, and backup appliances. Essentially all devices that may be connected to a corporate network count, as well as software that’s running. The discovery process must ascertain whether the developer still supports the software with security patches, and how up-to-date the software is.

This process may be arduous and lengthy, but putting in the hard work at this stage is crucial. It’s essential to ascertain a complete picture of the systems the business relies on, with unpatched hardware introducing needless gaps into the setup.

One of the tools in the CISO armoury is the use of the Common Vulnerabilities and Exposures (CVE) glossary. This is a project maintained by Mitre, funded by the US Department of Home Security, that will catalogue every vulnerability that has so far been identified, ensuring that managers have up-to-date information at their fingertips.

The scanning process will involve routing TCP/IP traffic across a corporate wide network this will enable managers to ascertain where possible weaknesses are.  It’s an exhaustive process and there could be downsides insofar as that level of network traffic could lead to the slowing down of the system.

Assess

The second stage is assessing what vulnerabilities are present and what the level of risk is. The most common way of doing this is by using the Common Vulnerability Scoring System (CVSS). This assigns a numerical value to the level of risk for all vulnerabilities that have been assessed.

The CVSS score will look at three areas in particular:

• Base metrics for qualities intrinsic to a vulnerability
• Temporal metrics for characteristics that evolve over the lifetime of vulnerability
• Environmental metrics for vulnerabilities that depend on the way that a system has been implemented

All of these groups will be given a numerical score: these will range from 0 to 10, with 10 being the most severe. Different organisations may handle these scores in different ways: some companies will just use the base metrics while some larger organisations – or those with more complex environments – will take temporal and environmental scores into account.

The CVSS scoring system can be found on the Forum of Incident Response and Security Teams, FIRST website.

The reporting phase follows on once you’ve established a full and up-to-date understanding of the IT estate, and what hardware devices and software is connected to the corporate network. This information should be compiled into a report that can be easy to read, accessible and referenceable, detailing the systems that are most vulnerable. This assessment would be based on various criteria such as the severity of unpatched flaws, and how close the systems and applications are to sensitive data.

It's possible to do this automatically using software, with many security platforms allowing you to create reports and 'digests' based on the results of autonomous network scans. Reporting feeds into the next step, prioritisation, and some vulnerability management programmes class them as part of the same stage.

Action

Arguably the most important stage of the vulnerability management process, prioritisation is where you decide the order in which you're going to address the vulnerabilities within your network. This will be based on a number of factors, but the principal things to consider are: how long it will take to fix, how much it will cost to fix and how much risk it poses. Which factor you give the most priority to will likely depend on the individual circumstances of your business, but it's a good idea to prioritise high impact, low-effort fixes where possible.

In many cases, the likelihood of a flaw being exploited, or the potential impact if it is, will be low enough that you can judge leaving it unpatched to be an acceptable risk. Alternatively, the cost of fixing something may be so high as to make it unfeasible with your current resources. The important thing is to be able to identify these acceptable risks and to be aware of them going forward.

Once these vulnerabilities have been assessed and prioritized, there’s a need to look at how those vulnerabilities can be tackled. There are a few options.

The most obvious one is completely fixing the vulnerability so it can’t be exploited and cause damage to the system. Although this is the ideal way forward, it's not always achievable, and so you may need to rely on more creative methods. For example, greater use of segmentation to make sure that those vulnerable areas are more easily isolated. There could also be greater use of measures such as two-factor authentication and encryption to protect any data.

Other measures may be more costly or time-consuming, however, such as creating a patch for your own application or replacing a device that is no longer supported by the manufacturer.

You can also take the decision to mitigate an issue by partly addressing the problems or, as mentioned above, by accepting the risks posed by a particular vulnerability. Once you've completed the response cycle, the process starts again with a fresh round of discovery to see what the state of your network is after your actions to secure it.

Continuous management

Organisations should lastly ensure that there’s an ongoing process of vulnerability management in place once the initial work has been done. This is not just a question of running a sweep of the system and remedying all the vulnerabilities; it’s about establishing a framework going forward that would mean patches are handled effectively, networks have been organised so that any breaches can be isolated, and that staff are fully trained – and continually monitored – to maintain strict control over a corporate-wide system. Any relaxation of this policy could prove very costly indeed.

A programme of end user training can be one of the most effective components of this continuous management. After all, according to a Verizon report, 74 % of breaches are down to poor employee behaviour. These are the people who are opening attachments from unknown sources and downloading unsafe apps. A comprehensive vulnerability management strategy will include an effective training process for employees, so that possible social engineering breaches can be minimised.

Why is vulnerability management important?

Vulnerability management is crucial because it gives you an overview of your security posture as a whole. It gives you a sense of which areas of your infrastructure are most at risk, which allows you to not only prioritise security remediation but also helps inform future IT investment.

More importantly, vulnerability management gives you insights into potential security holes beyond what you can learn from looking at a list of outstanding patches. There may be a piece of software that is known to be vulnerable, for example, but for which a patch is not yet available. In this case, looking at unapplied patches would not have alerted you to the issue.

• Seven things every chief exec needs to know in the event of a cyber attack
• AI threats: The importance of a concrete strategy in fighting novel attacks

Saturday marks exactly one year since the outbreak of the WannaCry ransomware epidemic that hit more than 300,000 computers, affecting major organisations including the NHS, where more than 40 trusts were forced to delay or cancel operations.

WannaCry made headlines around the world, drawing the attention of governments and regulators to the often woeful lack of cyber security within many large businesses and public sector bodies.

But one year on, have we learned anything? The answer, I would argue, is no. Basic IT failures are still happening, stupid security mistakes are still being made and no one, it would seem, has learned a damn thing.

As a case in point, let's take the WannaCry attack itself. As malware goes, WannaCry was not particularly sophisticated - at least, not from a technical standpoint. The reason it was able to spread so prolifically is that it took advantage of two pre-existing vulnerabilities: EternalBlue and DoublePulsar. These were critical vulnerabilities, allowing WannaCry to propagate itself exponentially.

Here's the rub, though: these exploits weren't zero-days. Microsoft had issued patches for them months before the outbreak even occurred. This, if nothing else, is the lesson of WannaCry: patch your damn systems. It shouldn't be that difficult, and it is one of the most basic steps that anyone can take to secure themselves. And yet, according to a Tanium study marking the dubious anniversary, two-thirds of organisations have not improved their patch management systems in the wake of WannaCry.

Of course, part of the blame for why no lessons have been learnt from WannaCry can be laid squarely at the feet of the security industry. For a solid year, virtually every cyber security firm in the world has been using the WannaCry outbreak as a big, scary stick which it can use to beat people into purchasing its protections. "See," they say; "this is what happens when you don't have a polymorphic, exoplasmic, hyper-next-gen 360-degree threat neutralisation suite! That'll be $300,000 per year, please."

Security vendors are right, up to a point; threats like WannaCry are a big deal, and organisations need to do more to prepare for them. What the infosec companies are conveniently leaving out, however, is that a surprisingly large proportion of threats can be stymied simply by applying software patches as soon as they are available. This isn't a substitute for having a solid security system in place, admittedly. But then, having a security system is no excuse for neglecting to apply patches either.

Don't get me wrong, I understand that updating software can be a total pain in the neck. Like testing your smoke alarm every two weeks, it's something we know we should do, but don't. We've all been guilty of repeatedly postponing that earnest little alert informing us that honestly, it's really rather important that we apply this update - I've been ignoring one such update for about two weeks on the trot, because it keeps coming up at inconvenient times.

It's a bad habit, though, and it's one that security firms should be helping all of us to break. The simple fact is that, alongside good password hygiene, a disciplined update schedule is the foundation of effective security. Without it, even the most sophisticated security suite is little more than a castle built upon sand.

If the IT industry as a whole takes one lesson from WannaCry, let it be this: take the time to update your systems. Patch fully, and patch often.

You don't have to make it your number one priority (although by rights, it should be) but make sure it's at least in the top three. If you're considering shelling out for a new security package to fight the growing tide of ransomware threats, take a look at your patch procedure first, because if you take care of your patches, then in most cases, they'll take care of you.

Hackers have successfully attacked nine out of 10 businesses with exploits that are more than three years old, new research has revealed.

Two-thirds of attacks over the course of Q2 2017 were ranked as either high or critical severity, Fortinet's latest Global Threat Landscape report found, while 60% of businesses were hit by an exploit relating to a flaw dating back more than a decade.

"Something we don't talk about often enough is the opportunity everyone has to limit bad consequences by employing consistent and effective cybersecurity hygiene," said Fortinet CISO Phil Quade. "Cyber criminals aren't breaking into systems using new zero-day attacks, they are primarily exploiting already-discovered vulnerabilities."

"This means they can spend more of their resources on technical innovations making their exploits difficult to detect. Newer worm-like capabilities spread infections at a rapid pace and can scale more easily across platforms or vectors."

The data reaffirms an oft-repeated mantra within the security community, that if companies do not follow basic security hygiene guidelines, their business and their users will pay the price.

The report , which collects data from three million of Fortinet's network devices and sensors deployed in customers' live production environments, also confirmed that hackers are actively exploiting businesses' working hours, with the average daily volume of attacks doubling at weekends when IT and security staff are likely to be out of the office. This led to a total of almost 45% of all exploit attempts occurring on Saturday and Sunday.

Unsurprisingly, file-sharing applications were a common vector for security threats to enter organisations. Businesses that allowed employees to use a large number of peer-to-peer file-sharing applications reported seven times as many botnets and malware instances as those who did not, while proxy applications reported a nine-fold increase.

The number of exploits is also growing, increasing 30% compared to the first three months of 2017 to 1.8 billion daily attacks.

Issuing emergency patches for newly-discovered security threats is costing businesses almost $100,000 per month and taking up more than 60 man-hours, new research has revealed.

According to an independent survey of 500 CISOs from companies in the UK, US and Germany with more than 1,000 employees, crisis patch management the practise of scrambling to apply fixes for vulnerabilities such as the SMB flaw behind last month's WannaCry ransomware attack is causing businesses a major headache.

The survey, which was commissioned by security firm Bromium, found that on average, businesses were having to issue a whopping five emergency patches every month. That equates to more than one a week and with each patch taking an average of more than 12 man-hours to apply, it's easy to see why more than half of CISOs say that issuing them is a 'major disruption' for their teams.

More importantly, these last-minute patch jobs are putting a huge hole in companies' bottom line. Over 50% of businesses have had to either pay overtime to IT staff or bring a third-party response unit to deal with emergency patches and security issues. According to the study, this costs companies almost $20,000 per patch.

"We can see with the recent WannaCry outbreak where an emergency patch was issued to stop the spread of the worm that enterprises are still having to paper over the cracks in order to secure their systems," said Simon Crosby, Bromium's co-founder and CTO.

"The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences. WannaCry certainly isn't an isolated case and as ransomware and polymorphic malware become increasingly sophisticated and difficult to defend against, we are going to see many more emergency patches become a crisis although, sadly, they will often be too late."

Motorola is getting ready to patch 22 of its devices against the recently discovered "Stagefright" Android bug.

The company announced that it is sending out patches to its carrier partners for testing and approval from today for the following devices:

• Moto X (1st Gen, 2nd Gen)
• Moto X Pro
• Moto Maxx/Turbo
• Moto G (1st Gen, 2nd Gen)
• Moto G with 4G LTE (1st Gen, 2nd Gen)
• Moto E (1st Gen, 2nd Gen)
• Moto E with 4G LTE (2nd Gen)
• DROID Turbo
• DROID Ultra/Mini/Maxx

Its three new 2015 devices, the Moto X Style, Moto X Play and third-generation Moto G will all have the patch integrated into their software at launch, with the exception of some of the initial release Moto Gs in certain, unspecified regions. These will receive the update soon, however, the company said.

While the patches are rolling out to carriers from today, it could be a little while beore they are ready for consumers.

"Many carriers have unique requirements that result in unique variants of software," said Motorola. "As a result, there are over 200 variants of software that we are working to patch, test and deploy to our carrier partners for their testing and approval. We are prioritising our deployments of the patch to the largest groups of consumers first and working closely with our carrier partners to make the patch available as soon as possible."

The company advised users that a notification to download and install an update would appear as soon as the patch is available, but said that it "encourage[s] everyone to periodically check if they have the latest software by checking in Settings>About Phone>System Updates".

The news comes just days after Samsung and LG announced they would be moving to monthly security updates in an attempt to enhance consumer safety.

Microsoft and Apple have moved to stem the bleeding caused by the FREAK vulnerability, releasing patches for the bug.

The tech giants are just two of the firms whose software FREAK has weakened, after the decade-old SSL vulnerability only came to light this month.

FREAK, an acronym for Factoring Attack on RSA-EXPORT Keys, was the US government's effort in the 1990s to downgrade encryption on exports during the 1990s.

It allows hackers to weaken software security from "strong RSA" to "export grade", according to Matthew Green, a research professor at Johns Hopkins University, one of the researchers who helped uncover the flaw.

Redmond admitted last week that all versions of Windows were susceptible to the bug, while it has also left Android and iOS devices at risk of hacking for a decade.

Now however, Apple and Microsoft have joined Google in patching the flaw.

Security researcher Graham Cluley wrote in a blog post: "Apple appears to have resolved the FREAK vulnerability for its users in a relatively short amount of time."

Apple's Security Update 2015-002 protects the Mac's OSX operating system, while similar patches address the vulnerability in iOS and Apple TV, too.

Meanwhile, Microsoft has issued 14 security bulletins for this month's Patch Tuesday, one of which specifically addresses FREAK.

Alan Bentley, international senior vice president at IT security firm Heat Software, said: "Now that Apple and Microsoft have made fixes available, the onus is on organisations to address the vulnerability.

"Failure to apply the appropriate patch will mean organisations are knowingly leaving their back doors open and allowing hackers access to their personal and private data."

Google Chrome has the highest level of detected vulnerabilities, while Avant haa the second highest, according to research.

Security detection company Secunia exposed 162 Chrome threats in October alone, which is quite a hike from its August number of 64. Avant claimed 159, while the third in line was iTunes with 83.

However, the firm said the reason the number is so high is because Google has the most advanced detection system in the industry, meaning it's probably more secure than others that have lower readings.

Kasper Lindgaard, Secunia's director of research and security, said: "It is almost always Google themselves who disclose the vulnerabilities," meaning it's safer to use "due to the vendor proactively hunting down and fixing vulnerabilities before anyone knows about them".

Not only does Google have a stringent in-house vulnerability detection system, it also offers attractive rewards to those outsiders who uncover risks, encouraging white hat hackers and security researchers to report any vulnerabilities they detect in return for a bounty.

Additionally, the browser uses a number of third party libraries which "may or may not make Google Chrome vulnerable too," according to Lindgaard.

The number of vulnerabilities detected has risen 40 per cent year-on-year with a total 1,841 vulnerabilities in the 20 most vulnerable programs. IBM was the worst-performing company with a high number of flaws across its suite of products.

Yesterday, it was announced Google was going to take a further step in warning users of potential harmful sites by marking those that use the 'http' protocol rather than 'https' as insecure.

"The goal of this proposal is to more clearly display to users that HTTP provides no data security," members of the Chrome Security Team said in a blog post.

Microsoft will be rolling out two critical fixes during its monthly Patch Tuesday round of security updates.

There are six notifications in all, with two ranked critical, three important and one listed as only moderate.

The average since 2013 has been around nine per month, so the six announced for next week represent a lower bulletin count than usual.

Of the two labelled critical, one is related to Internet Explorer, and is more than likely to be a patch that collects a number of updates needed to the browser. This marks the sixth Patch Tuesday in a row that's featured updates for the browser.

Wolfgang Kandek, CTO of Qualys, highlighted the importance of the IE update in a blog post. "This patch should be top of your list, since most attacks involve your web browser in some way.

"Take a look at the most recent numbers in Microsoft SIR report v16, which illustrate clearly that web- based attacks, which include Java and Adobe Flash are the most common," he added.

The second critical bulletin resolves remote code execution issues with all versions of Windows currently available, including Windows RT and RT 8.1.

Arriving third, fourth and fifth, the "important" bulletins address issues around privilege elevation. All the vulnerabilities addressed by these bulletins are local, meaning they cannot be executed through a network connection.

That doesn't mitigate the danger, claims Kandek, as an attacker who gains access to a computer through stolen credentials can still control the user's computer with them.

Bulletin six, ranked the lowest in importance with a "moderate" rating, fixes denial-of-service vulnerabilities in Microsoft's server software.

"All of the vulnerabilities in this month's release were discovered by Microsoft or privately disclosed by security researchers," said Karl Sigler, threat intelligence manager at Trustwave. "The good news is that none of these vulnerabilities have been exploited in the wild yet."

Full details of each bulletin will be released when the patches go live next Tuesday

Microsoft will be rolling out seven updates in its Patch Tuesday fix, with two critical and five important.

The first three bulletins will fix vulnerabilities in Windows, IE, Office and Lync.

The first patch will fix a vulnerability, known as CVE-2014-1770 in Internet Explorer 8. The vulnerability allows hackers to access Internet Explorer remotely using an arbitrary JavaScript code execution if the user visit a malicious website or downloads an untrusted file.

Last month, Microsoft was criticised for failing to fix the security hole, discovered in October 2013, at HP's Zero Day Initiative. The ZDI publicly discloses any patch that goes unfixed for six months as a matter of public interest.

Bulletin 2 of Microsoft's Patch Tuesday update fixes problems in Windows, Office and Lync while Bulletin 3 addresses remote access possibilities in Office.

This Patch Tuesday update will also include fixes that address Information disclosure in Windows and Lync Server (patches 4 and 5), denial of service attacks in Microsoft Windows (bulletin 6) and tampering in the Microsoft Windows system (bulletin 7).

This final patch doesn't appear very often in Windows' Patch Tuesday updates, but it allows remote hackers to make a security-related change that should activate security systems, but doesn't, such as installing an unsigned malware addition to digitally signed software or giving the impression of a signed website that is actually a rip-off of an existing certificate.

All seven patches may require a computer restart, with Windows XP the only system not needing to be reset, with bulletins 1, 2 and 6 all specifying you will need to restart in order for the patch to take effect, across all operating system versions.

Networking titan Cisco has patched a vulnerability in its Access Control System (ACS) platform that could allow hackers to bypass password protections.

The update installs a revision of ACS, a part of which handles the platform's TACACS+ authentication platform.

Cisco said the vulnerability was caused by the improper validation of the user-supplied passwords when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password.

They would then need to know a valid username stored in the LDAP external identity database to exploit this vulnerability, and the exploitation is limited to impersonate only that user.

An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

The update is free to download and install with Cisco urging organisations to install the fix as soon as possible.

The flaw was initally flagged by Sans security researcher Mark Baggett.

Baggett said exploitation of the vulnerability was "very easy".

"If you are using Cisco ACS for authentication you should probably take note of this announcement," he said.

News of the flaw in Cisco's ACS comes around a week after the company was forced to issue patches in its datacentre and web conferencing products that could allow remote command execution in its Cisco Prime Data Center Network Manager.

Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, according to Cisco.

It also reported a SQL injection and buffer overrun vulnerability in its Cisco Unified MeetingPlace Web Conferencing product.

Apple has rolled out an update to patch up Java vulnerabilities on its Mac OS X computers.

According to the company, the Java SE 6 update would fix vulnerabilities that could allow hackers to remotely execute code on a victim's system.

The patch fixes flaws in Mac OS X 10.6 upwards, including Lion and Mountain Lion, the newest operating system to hail from Cupertino.

While Apple maintains SE 6 and has issued a fix for it, software giant Oracle controls the maintenance and development of SE 7 on OS X, Windows and Linux.

Oracle has also put out a patch for SE 6 on Windows and Linux. Standalone applications and server installations of Java are not affected by the problem.

Oracle has been slow to issue a patch drawing criticism from the security community who said the firm knew about the flaw long before any security update was issued.

Oracle has also been under fire for releasing a patch, which was later found to contain a serious exploit.

The problem has raised serious questions over the security of Oracle's Java platform, leading many to suggest that users and IT professionals should limit use or remove the code from systems altogether.

The US government is ordering internet users to disable Java in their web browsers following the discovery of a new Oracle Java 7 zero-day vulnerability.

The glitch allows Java applets to carry out arbitrary operating system commands.

It is understood to affect web browsers that use the Java 7 plug-in, including Mozilla Firefox, Google Chrome, Internet Explorer and Apple Safari.

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) has issued a statement alerting internet users around the world to the issue.

Reports indicate this vulnerability is being actively exploited.

"Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available," the statement reads.

It warns end users could be coerced into visiting sites hosting malicious applets, allowing hackers to execute arbitrary operating system commands on vulnerable systems.

Internet users can protect themselves by disabling Java web browser plug-ins, the statement added.

Security vendor FireEye said the vulnerability has been seized on by hackers to carry out "limited targeted attacks" originating from Chinese web servers.

Atif Mushtaq, security researcher at FireEye, called on Oracle to issue a patch in a FireEye blog post. "It will be interesting to see when Oracle plans [to patch it.] Until then, most of the Java users are at the mercy of this exploit," he wrote.

Oracle declined to comment.

The next Oracle Java patch is expected to drop on 16 October 2012.

Microsoft is urging people to waste no time in applying its latest security patch, warning that it expects to see exploits of patched vulnerabilities within 30 days.

According to Microsoft, update MS12-020 addresses two vulnerabilities in Microsoft's implementation of the Remote Desktop Protocol (RDP), and one of the flaws is a remote code execution vulnerability affecting all versions of Windows.

We expect to see working exploit code developed within the next 30 days.

Attackers could use the vulnerability to remotely access computers without authorisation.

Microsoft said it "strongly encouraged" users to make "a special priority of applying this particular update" because the potential rewards for attackers would make the vulnerability too tempting to ignore.

"We are not aware of any attacks in the wild and the remote desktop protocol is disabled by default," the company said in its security blog outlining the problem and how system administrators should deal with it.

"However, due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days."

Microsoft said attackers could exploit the vulnerability over networks before authentication was required because "RDP is commonly allowed through firewalls due to its utility".

The service runs in kernel-mode as SYSTEM by default on almost all platforms, the company said.

"We determined that this vulnerability is directly exploitable for code execution," Microsoft said.

"Developing a working exploit will not be trivial we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."

Adobe has issued two patches for critical vulnerabilities affecting its Shockwave Player software and RoboHelp for Word authoring product.

Two bulletins were issued on Tuesday, one of them addressing nine security flaws most of them memory corruption vulnerabilities - in Shockwave version 11.6.3.633 and earlier versions on Windows and Mac OS.

"These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system," Adobe said in its advisory.

These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code.

There was just one vulnerability - CVE-2012-0765 in RoboHelp, affecting Windows users only.

"A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word," Adobe warned in a separate advisory.

"Adobe recommends users update their product installation."

Microsoft yesterday issued its Patch Tuesday release for February, covering 21 vulnerabilities, including a critical update to Internet Explorer.

The patches came on the same day security company Secunia slammed the software industry for not doing enough to promote patching and ease the burden for IT managers.

Secunia's annual patch report found none of the top 20 software providers, including tech giants like Apple, Microsoft and Google, were able to cut the number of flaws in their products over the past five years.

"Vendors in general should improve their communication to customers and the patch distribution mechanism (for consumers that would imply auto updating)," said Thomas Kristensen, chief security officer at Secunia.

Microsoft will issue nine security bulletins covering 21 flaws this Valentine's Day, marking a medium weight release for IT departments to deal with.

Four of the bulletins have been rated critical and IT managers have been advised to focus on covering those affecting Internet Explorer first.

"There is the expected critical update to Internet Explorer which should be highest priority. After all, we saw last month how quickly attackers are incorporating browser based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday," said Wolfgang Kandek, CTO of Qualys, in a blog post.

"There are also two critical fixes for WIndows itself, plus one for the .NET framework that should be prioritised.

"In the important' category, there are three Remote Code Execution vulnerabilities, one of them in Office. Most likely we are looking at file based attacks and at least the Office vulnerability should be included in your first tier of patching."

IT managers running Windows Server 2008 R2 will also want to ensure they take note of the release on 14 February.

For the full advisory from Microsoft, head here.

Last month, Microsoft issued a total of seven bulletins for eight vulnerabilities.

Both Microsoft and Adobe have welcomed the new year by announcing some notable patching days for IT departments to be aware of.

Microsoft usually keeps Patch Tuesdays quiet in January, but has issued seven security bulletins for eight vulnerabilities.

One of those is a critical remote code execution vulnerability in Media Player, although for users of Windows 7 and Windows 2008 R2 its severity is downgraded to 'important.'

The remaining bulletins are ranked as important. One of those covers the BEAST SSL flaw highlighted by researchers last year.

Next Tuesday it will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers.

Researchers found a way to exploit a long-known flaw in TLS (Transport Layer Security) that could have undermined the security credentials of the SSL cryptographic protocol and affected millions of sites. However, little emerged from the discovery.

"Bulletins three and five, while rated 'important' both involve Remote Code Execution, most likely through a specifically crafted input file to one of the Windows standard programs and should also be high on your list of bulletins to look at," recommended Wolfgang Kandek, CTO of Qualys.

"Bulletin two stands out as it is tagged as 'Security Feature Bypass,' which is a new category. Next Tuesday it will be interesting to see which exact Windows features are involved and how this vulnerability can be used by attackers."

Adobe will join Microsoft in issuing updates tomorrow (10 January). It will address critical flaws in Reader and Acrobat.

"These updates will include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows," Adobe said in its advisory.

Oracle is also due to issue its quarterly security update on 17 January, making it a busy month of patching for IT managers.

Oracle has issued an out-of-cycle patch for a denial of service flaw in the Apache web server, versions httpd 2.0 or 2.2, affecting a range of products.

Whilst Oracle has not given the vulnerability a high rating, it noted how easily the flaw could be exploited.

The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, Importance.'

"This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password," Oracle noted in its security advisory.

"A remote user can exploit this vulnerability to impact the availability of un-patched systems."

Larry Ellison's firm recommended IT departments update their systems as soon as possible, due to "the threat posed by a successful attack."

Products affected include Oracle's Fusion Middleware and Application Server products. Oracle Enterprise Manager is also affected if the user is running the Fusion Middleware containing the vulnerability.

The flaw emerged last month, when the Apache Software Foundation revealed the denial-of-service vulnerability affected all versions of the Apache web server.

It worked by allowing a malicious user to exploit the Range feature in Apache web servers, which enables the pausing and resuming of downloads. An attack tool was spotted in the wild, giving hackers the power to overload a server by asking it to access multiple parts of a file simultaneously.

The Apache Software Foundation has already issued two patches to fix the problem in version 2.2. It sent out an initial patch towards the end of August, before issuing another to go on top of that fix.

"However conservative you might be, if you're an Oracle user, this patch is definitely recommended in a hurry," said Sophos' Paul Ducklin, in a blog post.

"The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, Importance.'"

Oracle has put out what has been described as a "huge" quarterly Critical Patch Update (CPU), with fixes for 78 vulnerabilities across hundreds of products.

It marks another big patch announcement, following the 66 vulnerability CPU in January.

The hefty update is largely down to Oracle's acquisition of significant companies like PeopleSoft and Sun Microsystems, as well as its own wide range of products, said Amol Sarwate, Vulnerability Labs manager for Qualys.

"Our top priority goes to patching vulnerabilities that attackers can remotely exploit without authentication and where the affected systems could be exposed to the outside world," Sarwate said.

"For Sun users this includes nine vulnerabilities that affect Solaris (CVE-2011-2287, CVE-2011-2245, CVE-2011-2294, CVE-2011-2298) SPARC (CVE-2011-2288, CVE-2011-2299, CVE-2011-2307) and Oracle GlassFish Server(CVE-2011-1511, CVE-2011-2260). Protocols that attackers could use for exploitation include SSH, HTTP, SSL and KSSL."

The next priority for IT managers should be to look at vulnerabilities which could be remotely exploitable but affect products which typically would not be exposed due to network segregation or firewalls, Sarwate said.

This includes patches for Oracle Database Server, Grid Control, Enterprise Manager and PeopleSoft.

"While some of the products may have a legitimate business reason to be exposed outside of the corporate network, we strongly advise organisations to access their network infrastructures and prioritise patches based on their exposure," Sarwate added.

"The CPUs are becoming huge. But due to the diversity of affected products, our guess is that many larger organisations could have specialised teams working on different products in order to make the Oracle quarterly CPU a bit more manageable."

The next Oracle CPU is due for 18 October, which will be the last of 2011. Another will be issued on 17 January.

Head here for Oracle's CPU announcement and breakdown of affected vulnerabilities.

Microsoft will fix more vulnerabilities than any previous Patch Tuesday when it issues its monthly update list next week.

The Redmond giant said it would fix 64 vulnerabilities in 17 security bulletins on 12 April across various Microsoft products, including all versions of Windows.

Nine bulletins were rated as critical and the remaining eight ranked as important.

Notably, Microsoft has chosen to fix a zero-day MIME HTML (MHTML) vulnerability affecting Internet Explorer, which was used in targeted attacks.

In March, Google warned the vulnerability, initially reported by Microsoft in January, had been exploited in politically motivated attacks and hit "another popular social site."

The bug in MHTML a protocol used by applications to render certain kinds of documents and bring together different content onto one HTML file - was publicly disclosed back in January.

"This is a huge update and system administrators should plan for deployment as all windows systems including Server 2008 and Windows 7 are affected by critical bulletins," said Amol Sarwate, manager at the Qualys Vulnerability Research Lab.

"Frequently used office applications like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also affected."

The previous record Patch Tuesday was issued in October when 49 vulnerabilities were fixed in 16 bulletins.

Head here to see the advance notification for next week's Patch Tuesday.

Oracle should patch database vulnerabilities more frequently and be more open about what the flaws are, a security expert has claimed.

Imperva chief technology officer (CTO) Amichai Shulman said Oracle used to issue fixes on a more regular basis, even when they had far fewer products.

"One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products," Shulman said.

"The quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year."

Shulman said he could not believe "there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities."

Furthermore, the CTO said Oracle did not elucidate enough on what the vulnerabilities were.

"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits," he added.

"Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening."

Oracle chose not to comment on Shulman's statement.

However, Oracle has included a new document in the critical patch update to help administrators better understand the related security vulnerabilities.

"This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation," Oracle said in a blog.

Shulman's comments came a day after Oracle released its January 2011 Critical Patch Update, which covered 66 vulnerabilities across a range of products.

A total of 16 fixes were for Oracle's Fusion Middleware offering alone two of which had maximum CVSS Base Score of 10.0.

A fix for an Oracle Audit Vault vulnerability, which was also handed the maximum CVSS Base Score, was issued.

"We are seeing fixes for remote execution without authentication, which is very severe," Shulman added.

Adobe has reported a serious flaw in its Flash Player and in a component of Reader and Acrobat that, when exploited, could allow an attacker to take control.

The company's developers are having a busy time. This flaw was reported just as Adobe released a large 10-vulnerability patch that included a fix for a previous flaw found in the Shockwave player.

The new vulnerability spreads across many versions of Flash, Reader and Acrobat and the company said that the fix it has started working on will take over a week to be finalised. The latest release, version 10, will be patched after 9 November, the company has promised, and earlier versions will be covered after

15 November.

Until these fixes are released, Adobe advises users to delete or rename the "authplay.dll" file that ships with version 9 of Reader and Acrobat. The applications will still work unless the PDF file contains Flash content. If a Flash component is accessed the application will crash. Instructions for disabling the dll can be found in advisory CVE-2010-3654 on the Adobe site.

Flash Player version 10.1.85.3 and earlier versions are affected on Windows, Macintosh, Linux and Solaris operating systems, as well as 10.1.95.2 and earlier versions for Android.

The flaw also impacts the authplay.dll component in Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and Unix systems, as well as Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh.

Rapid action saw Mozilla issue a fix for the flaw exploited on the Nobel Peace Prize website within 48 hours of its discovery. After a week, Adobe has rolled out a patch for Shockwave.

Visitors using Mozilla Firefox browsers to view the Nobel Peace Prize website were alarmed to find that a Trojan had been secreted there. Within two days of receiving a report from Norwegian security firm Telenor, the patch had been issued for versions 3.5 and 3.6 of the browser .

The company has issued a statement that assures users of the Firefox 4 beta that they are safe, even though their browsers had the same flaw.

"Firefox 4 beta users appear safe for the moment," Daniel Veditz, a Mozilla security engineer, blogged.

"The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability."

Telenor said that visitors to the Nobel site were redirected to a Taiwanese server that responded with a JavaScript exploit. The script was designed to install a Trojan horse on any redirected Windows PC. In turn the Trojan downloaded more malware put the hacker in complete control.

The Trojan has also been neutralised by Avira, a German security company. The Trojan's links to the hacker's command-and-control servers had been severed, Avira said.

Adobe has also been busy patching a vulnerability that surfaced in Shockwave Player version 11.5.8.612 and earlier for Mac and Windows. Unlike the Firefox vulernability, the Adobe flaw was being targeted by several attacks.

In an advisory issued over a week ago, Adobe warned that an attacker could cause a system crash and take control of any vulnerable system.

The code for a zero-day vulnerability affecting Adobe Shockwave Player has been published and the software maker has not yet promised a patch date.

Adobe acknowledged the hole affecting Shockwave Player 11.5.8.612 and earlier versions on the Windows and Mac operating systems, after a researcher made the exploit code public.

If exploited, the flaw "could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.

"While details about the vulnerability have been disclosed publicly, Adobe is not aware of any attacks exploiting this vulnerability against Adobe Shockwave Player to date," the firm noted in a security advisory.

Adobe said it is currently working on getting a schedule together for an update to address the vulnerability in Shockwave Player.

The company shares information about this and other vulnerabilities through the Microsoft Active Protections Program, which it joined in July.

Sharing this information with partners in the security community enables them to "quickly develop detection and quarantine methods to protect users until a patch is available," Adobe assured.

"As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date," the firm added.

IT PRO recently caught up with Brad Arkin, Adobe's director for product security and privacy, to talk about how the company tackles serious vulnerabilities such as the above.

Apple has unveiled a patch to address a security flaw in its operating system.

The update for version 10.6.4 of Snow Leopard fixes a bug allowing hackers to remotely access shared folders and files on a machine, just with the knowledge of a username.

Although not all users have filesharing enabled, the patch is still being recommended to all in case they later chose to activate the preference.

There is yet to be any news of a server version of this update, so it appears the flaw only currently affects client machines.

The update is available either as an automatic update or via Apple's website if you click here.

Adobe will fix some critical security issues in its Reader and Acrobat products this month, affecting various versions of the software.

Updates are expected to be rolled out during the week commencing 16 August, according to a security advisory.

The affected software includes Adobe Reader 9.3.3 for Windows, Mac and UNIX, as well as Acrobat 9.3.3 for Windows and Mac, and Reader 8.2.3 and Acrobat 8.2.3 for Windows and Mac.

The fixes are out-of-cycle releases, Adobe explained, and there will be another security update for Reader and Acrobat software on 12 October.

The security flaw was uncovered by Charlie Miller, a researcher at Independent Security Evaluators, during the Black Hat USA 2010 security conference in July.

The vulnerability could be exploited when maliciously-designed TrueType font is embedded into a PDF, allowing memory to be corrupted, according to security advisory provider Secunia.

Adobe recently joined the Microsoft Active Protections Program, allowing the Flash creator to share security information about such vulnerabilities with the other 65 members of the initiative.

Microsoft is to issue an emergency patch later today to fix a critical flaw in Windows, enabling hackers to gain remote access to PCs.

The vulnerability, which affects every version of Windows, relates to how Windows uses shortcut file icons - .lnk - and leaves an open door for attackers to create booby-trapped shortcuts to take over a target computer when double-clicked.

According to Microsoft, the malware can be launched by infected USB drives or network connections.

Microsoft first warned Windows users about the vulnerability on 16 July, stating at the time: "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed."

"This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV."

However, following a sudden surge in the number of related attacks, Microsoft has decided to step out of its usual pattern of issuing updates on every second Tuesday of the month, and is expected to release a patch at 6pm BST.

"We're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability," Christopher Budd, a senior security response manager at Microsoft, wrote on the company's blog.

"We firmly believe that releasing the update out-of-band is the best thing to do to help protect our customers."

As a stopgap solution, Microsoft has released details of a temporary fix on its website, showing users how to stop .lnk folder icons from appearing on their desktop at all.

A workaround for the latest Adobe patch has been discovered by researchers, meaning its Reader product is still vulnerable to attacks.

Didier Stevens, a security researcher from Belgium, was the first to find the flaw in Adobe Reader back in March, which enabled hackers to take over machines and easily run malware.

In his latest blog post, Stevens has claimed the patch released by Adobe last Tuesday, which aimed to fix 17 vulnerabilities overall, still did not fully protect a user from hack attacks.

"I did some research and discovered that Adobe implemented a blacklist of extensions for the launch action, but that the blacklisting functionality identifies the file type of "cmd.exe" as .exe", and not .exe," he wrote.

This means by simply including double quote marks around a file name, hackers are still able to get a PDF to run malware.

Stevens has raised the issue discovered by another researcher, Le Mahn Tung with Adobe and the company has admitted its blacklisting technique was not ideal.

"While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent this option reduces the risk of attack, while minimising the impact on customers relying on workflows that depend on the launch functionality," wrote Brad Arkin on the Adobe Secure Software Engineering Team blog.

"We will evaluate this workaround to determine whether additional changes to the blacklist are required."

A patch to fix a critical flaw in two of Adobe's products has been brought forward to 29 June.

The patch will address a flaw in the authplay.dll component in Adobe Reader and Acrobat 9.x products, which could lead to machines crashing or being taken over by an attacker.

It is replacing the company's quarterly patch which was due to go out on 13 July.

The flaws affecting versions across Windows, Mac and UNIX platforms were discovered earlier this month, along with a critical flaw in Adobe Flash Player. However the Flash issue was patched in a matter of days.

The flaws could not have come at a worse time for Adobe, which has been embroiled in a war of words with Apple over the security of its products specifically Flash.

Apple chief executive Steve Jobs claimed the Flash Player had too many bugs and was a battery drainer, so he would not incorporate it into the likes of the iPad or iPhone.

Adobe fought back when its chief executive Shantanu Narayen claimed Jobs' comments were a "smokescreen" to draw attention away from his closed approach to the mobile market, but these latest critical flaws have left question marks hanging in the air.

For more information on the flaws, click here to read Adobe's security advisories.

Adobe will release a patch for the critical flaw found in its Flash Player by tomorrow at the latest, the company has confirmed.

The vulnerability was revealed late last week through an Adobe Security Advisory, warning users that if it was exploited the machine could crash or be taken over by a hacker.

An update on the advisory said: "We are in the process of finalising a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010."

However, it admitted that a patch date for the Solaris version was "still to be determined."

Other vulnerabilities were also discovered in Adobe Reader and Acrobat, but these will not be patched until 29 June as an accelerated update to the one due in mid-July. This means no patches will be released on 13 July as originally scheduled.

This latest flaw in Adobe's programs has brought embarrassment to the company at the time when it is fighting Apple over Flash support exclusion in the iPhone and iPad.

Apple's chief executive (CEO) Steve Jobs claimed he would not include support for Adobe Flash in the devices as it was too buggy and drained battery power.

Adobe's CEO Shantanu Narayen fought back against the claims in an interview with the Wall Street Journal but these recent flaws have brought the spotlight back on the company's product security.

Microsoft has been forced to pull a security patch for a problem in Windows 2000 server because the fix isn't working.

Originally issued as part of April's monthly patching cycle - known as Patch Tuesday - the update addressed a critical flaw in Windows 2000 Server, which only affected systems with Windows Media Services installed but could have allowed remote code execution.

Microsoft's security communications manager Jerry Bryant explained that the update was pulled "because we found it does not address the underlying issue effectively."

"We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week," he added in a blog post.

Bryant add that Microsoft had a list of workarounds that admins could use in the mean time available in the original security bulletin, and recommended that affected customers should use a firewall to limit exposure.

Apple's latest update to its Leopard and Snow Leopard operating systems brings with it a total of 69 security fixes many of them labelled as critical.

The company rolled out Mac OS X 10.6.3 yesterday, and with it issued Security Update 2010-002 for existing users of both client and server versions of OS X 10.6 Snow Leopard and OS X 10.5 Leopard. The security update is already incorporated in OS X 10.6.3.

According to the release notes, 69 security-related changes have been made in total across the various versions of the OS.

QuickTime alone is responsible for nine of the fixes, including addressing a heap buffer overflow in the program's handling of movies encoded in H.263, H.261, RLE, M-JPEG, FLC and MPEG formats, and dealing with memory corruptions in QuickTime's handling of H.264 and Sorenson movie files.

Many of the other security fixes to Snow Leopard apply solely to server-related components such as Wiki Server, Apache and iChat Server.

Separate patches are included for many of the open-source and UNIX components in Mac OS X, including PHP, MySQL and Ruby.

In addition to the QuickTime fixes for issues that could leave the door open for maliciously crafted movie files, CoreImage and ImageIO fixes beef up the OS' defences against malicious image files.

Aside from the security fixes, OS 10.6.3 brings with it a number of usability and performance tweaks too.

Users should see improved wireless networking performance including better Wi-Fi security, fixes for sleep/wake issues when connected with Wi-Fi and better wireless Time Machine backups to a Time Capsule.

The update also improves compatibility with OpenGL-based applications, boosts printing reliability and reliability of third-party USB input devices, resolves issues with recurring events in iCal when connected to an Exchange server.

Apple has also adjusted its Crash Reporter mechanism for reporting application and system crashes. When clicking on the Send to Apple button, not only will the system now send Crash Reporter state data, but also information on the applications and hardware devices connected to your Mac as well as recent system log info.

This simply automates the sending of information which is requested by Apple anyway when it follows up a crash report, with the company insisting it is completely anonymous.

Apple has issued detailed release notes on both the OS X 10.6.3 update and Security Update 2010-002, which include instructions for downloading and installing the updates.

Microsoft has issued another patch for Internet Explorer, this time outside of its regular monthly update cycle.

The patch fixes a zero-day flaw in IE6 and IE7 that takes advantage of an invalid pointed reference to allow remote code execution if a user visits a malware-loaded page.

Attackers have already been making use of the flaw, Microsoft said earlier this month.

"We have been monitoring this issue and have determined an out-of-band release is needed to protect customers," communications head Jerry Bryant said on the Microsoft security blog.

Microsoft stressed that most recent browser IE8 was not affected by the flaw, and again urged users to update to that version.

The update will also include fixes for nine other vulnerabilities in the browser, which were going to be released on 13 April as part of the monthly patching cycle - effectively giving admins two big patches to roll out in the next few weeks.

"Some of those also affect Internet Explorer 8," said Bryant. "All of the nine additional vulnerabilities were responsibly disclosed and we are not aware of any active attacks against them."

The patches will roll out later this afternoon, via Microsoft's automatic update process.

Microsoft has confirmed it is working on a fix for the latest critical Internet Explorer (IE) flaw, but would not confirm an emergency repair before April's Patch Tuesday.

Jerry Bryant, senior security communications manager at Microsoft, said in a blog post his team was testing an update but would not verify when users could get their hands on it, as thorough testing on all affected versions needed to take place first.

"We have seen speculation that Microsoft might release an update for this issue out-of-band," he wrote. "I can tell you that we are working hard to produce an update which is now in testing."

"We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs."

The latest flaw in the troubled browser linked to an invalid pointer reference came to light last Wednesday when Microsoft admitted the vulnerability was already being taken advantage of by hackers.

As with many recent flaws, this one only affects IE6 and IE7, so as ever Microsoft is advising users to upgrade to the latest version of the browser, IE8.

Adobe has issued an out-of-band patch for a flaw in its Download Manager after being accused by a security researcher of "downplaying" the issue.

Adobe described the flaw as a "critical security issue" and said it "could potentially allow an attacker to download and install unauthorised software onto a user's system."

Earlier this week, researcher Aviv Raff said he had warned Adobe about the flaw, saying it could allow hackers to force their own software to be downloaded using the manager. Adobe responded that the issue wasn't serious.

"Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue," Raff wrote in his blog at the time.

Days later, Adobe has fixed the problem, and thanked Raff and his fellow researcher Yorick Koster for flagging the issue.

Adobe advised anyone who has used the tool to download Reader or the Flash player for Windows before yesterday to make sure they don't have a compromised version hanging around on their computer.

The security bulletin advised users to check to see if they've been affected by the flaw by searching for the 'C:Program FilesNOS' folder and looking for 'getPlus(R) Helper' in services. If they are found, then simply delete them, Adobe said.

For new downloads, the hole has been patched and the tool is now safe to use.

Adobe will today patch a number of critical flaws in both its Reader and Acrobat offerings.

The flaws, which affect both Windows and Mac users, are considered "critical security issues" and include an earlier noted issue in Adobe's Flash Player, allowing the possibility to subvert the domain sandbox and make unauthorised cross-domain requests.

The updates will affect Adobe Reader 9.3 for Windows, Mac and UNIX, Adobe Acrobat 9.3, Adobe Reader 8.2 and Acrobat 8.2 for Windows and Mac.

It is the third patch from Adobe in less than two months following critical vulnerabilities in Shockwave and the introduction of the Auto Updater.

As ever, Adobe recommends that all its users update to the latest versions of its products to keep themselves better protected.

The patch for the Internet Explorer flaw thought to be behind the Google hack will arrive tonight, Microsoft has said.

Writing on the Microsoft security blog, Jerry Bryant said the patch would be issued as close to 10:00 am PST - 5pm in Britain - as possible.

Advising users to update immediately, Bryant said: "It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicised."

However, Microsoft continued to say that attacks in the wild were only targeting IE6 - not the newer versions of the browser. "Based on our comprehensive monitoring of the threat landscape, we continue to see only limited attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6," Bryant noted in the bulletin.

The IE6 vulnerability is thought to be behind the battle between Google and China, and has also lead Germany and France to issue warnings against using the dated browser.

The UK finally warned its own users yesterday, with a Cabinet Office statement saying: "Government departments have been issued an alert on how to deal with this particular incident and to mitigate against vulnerabilities in relation to particular versions of IE."

Apple has released its first software patch of 2010 for Mac OS X Leopard and Snow Leopard, and has added support for Windows 7 in the latest version of its Boot Camp virtualisation software.

The patch - or Software Update 2010-001, to use its full name addresses a total of 12 vulnerabilities in Apple's version 10.5 and 10.6 operating systems, including a loophole in the systems' CoreAudio, which leaves the OS potentially vulnerable to malicious code hidden in an MP4 audio file.

Other security issues addressed include similar vulnerabilities in Image RAW's DNG file-handling and the ImageIO software that could be used to execute arbitrary code. The Flash Player plug-in, meanwhile, accounts for seven of the 12 tweaks, and is now on version 10.0.42, matching an update already issued on Adobe's side last month to close a number of security vulnerabilities.

A patch for the OpenSSL network encryption system has also been included as a preventative measure to guard against a known man-in-the-middle vulnerability between the SSL and TLS protocols.

The latest version of Boot Camp, 3.1, brings long-awaited support for Windows 7, in Home Premium, Professional and Ultimate varieties, while also addressing some issues with the trackpad, adding support for Apple's wireless keyboard and its latest Magic Mouse and turning off the digital audio LED when not in use.

Apple says Security Update 2010-001 is "recommended for all users and improves the security of Mac OS X", labelling nine of the 12 issues as potentially leading to "arbitrary code execution".

The version for Snow Leopard comes in at a fairly streamlined 21.9MB, while separate Client and Server options have been released for Mac OS X 10.5 Leopard, weighing in at a meatier 159.58MB and 248.11MB respectively.

However, the first OS X patch of the new decade is less than half the size by the 10.6.2 Snow Leopard update issued in November last year, which fixed a total of 58 flaws and was up to 479MB in size.

The updates are available through the usual Software Update utility, or through the support section on Apple's website. The latter is also where you'll find Boot Camp 3.1.

Microsoft is to release an emergency patch for the Internet Explorer (IE) flaw that has seen Google and several other major companies hacked over recent months, saying it has little choice given the "escalating threat environment".

Despite claiming that only the ageing Internet Explorer 6 is vulnerable to the attacks, and that they are very limited in nature, the company is nonetheless issuing an out-of-cycle update across the board.

Earlier this week, Microsoft urged users of its IE software to update to the latest version, Internet Explorer 8, but in doing so was forced to concede that both versions 7 and 8 of the software were also vulnerable to the IE6 security flaw that has left US computing giant Google and the Chinese government in a high-profile standoff.

In making the admission, Microsoft was quick to stress that it had not seen successful attacks against IE7 or IE8 as yet, but its researchers had proved the possibility was there.

Writing on the Microsoft Security Response Center blog yesterday, Trustworthy Computing Security general manager George Stathakopoulos said: "Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability."

The exact timing of the release will be known later today, but with the next monthly Patch Tuesday window still three weeks away, Microsoft has little choice to break its traditional update protocol.

"We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time," Stathakopoulos wrote.