<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
     xmlns:content="http://purl.org/rss/1.0/modules/content/"
     xmlns:dc="https://purl.org/dc/elements/1.1/"
     xmlns:dcterms="http://purl.org/dc/terms/"
     xmlns:media="http://search.yahoo.com/mrss/"
     xmlns:atom="http://www.w3.org/2005/Atom"
>
    <channel>
                    <atom:link href="https://www.itpro.com/feeds/tag/zero-day-exploit" rel="self" type="application/rss+xml" />
                            <title><![CDATA[ Latest from ITPro in Zero-day-exploit ]]></title>
                <link>https://www.itpro.com/tag/zero-day-exploit</link>
        <description><![CDATA[ All the latest zero-day-exploit content from the ITPro team ]]></description>
                                    <lastBuildDate>Fri, 06 Mar 2026 14:42:19 +0000</lastBuildDate>
                            <language>en</language>
                                <item>
                                                            <title><![CDATA[ Organizations hit by 90 zero-day vulnerabilities last year ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/organizations-hit-by-90-zero-day-vulnerabilities-last-year</link>
                                                                            <description>
                            <![CDATA[ Google Threat Intelligence researchers warn that edge devices and security appliances are prime entry points ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">aBDtJP2N9WmFv6kdYih6RY</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/fYKuh3bzyfULPuXQVcRyxK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 06 Mar 2026 14:42:19 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/fYKuh3bzyfULPuXQVcRyxK-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Ransomware concept image showing a skull superimposed over a digital interface with computer code in the background.]]></media:description>                                                            <media:text><![CDATA[Ransomware concept image showing a skull superimposed over a digital interface with computer code in the background.]]></media:text>
                                <media:title type="plain"><![CDATA[Ransomware concept image showing a skull superimposed over a digital interface with computer code in the background.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/fYKuh3bzyfULPuXQVcRyxK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google said it has tracked 90 zero-day vulnerabilities exploited in the wild in 2025 – a dozen more than in 2024, but lower than 2023's record high of 100.</p><p>Of these, 47 targeted end-user platforms and 43 enterprise products, the latter showing an all-time high. Abuse of operating systems was also on the rise, although browser-based exploitation fell to a historical low.</p><p>"State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks, with just over half of attributed zero-day exploitation by these groups focused on these technologies," the <a href="https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review">Google Threat Intelligence (GTG) researchers said</a>. </p><p>"Commercial surveillance vendors (CSVs) maintained an interest in mobile and browser exploitation, adapting and expanding their exploit chains to bypass more recently implemented security boundaries and other mobile security improvements."</p><p>For the first time, in fact, more <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-days</a> were attributed to CSVs than to traditional state-sponsored cyber espionage groups. </p><p>Multiple intrusions linked to Brickstorm malware deployment had a range of different objectives, while technology companies were targeted with the aim of stealing valuable IP and furthering the development of zero-day exploits. </p><p>Meanwhile, said the team, mobile zero-day discovery have bounced about in recent years, dropping from 17 in 2023 to nine in 2024, before rebounding to 15 in 2025. </p><p>China-linked cyber espionage groups were again the most prolific users of zero-day vulnerabilities in 2025, with groups such as UNC5221 and UNC3886 continuing to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets.</p><p>And zero-day exploitation by financially motivated threat groups remained much the same, with nine detected. </p><p>"Enterprise software and edge devices keep showing up as the highest leverage targets because they sit at key crossroads where access, connections, and control come together. Attackers keep leaning into these surfaces because one successful exploit can deliver initial access, lateral movement, and durable control across a wide set of systems," said Nick Tausek, lead security automation architect at Swimlane.</p><p>"Edge devices are especially attractive because they typically provide only partial breadcrumbs like login events, configuration changes, or basic traffic summaries rather than a clear view of what's happening inside the device, leaving gaps in detection and masking the true scale of exploitation."</p><p>Michael Jepson, <a href="https://www.itpro.com/penetration-testing/33981/what-is-penetration-testing">penetration testing</a> manager at CybaVerse, said the continued rise in exploited zero-days highlights a broader issue around how software is built and maintained. </p><p>Security, he said, needs to be embedded much earlier in the development lifecycle, with vendors prioritising secure-by-design principles, rigorous code review, and continuous security testing as part of standard engineering practices.</p><p>"While vulnerability discovery and disclosure are a normal part of the ecosystem, organisations should not be learning about critical flaws in widely deployed products only after attackers have already begun exploiting them," he said. </p><p>Stronger development standards, clearer vendor accountability, and potentially regulatory pressure in some sectors may be necessary to drive improvements in software security."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft under fire for “negligent” security practices in scathing critique by industry exec ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/microsoft-under-fire-for-negligent-security-practices-in-scathing-critique-by-industry-exec</link>
                                                                            <description>
                            <![CDATA[ Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">LbWAN9rU883AQE5gmSNfCT</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/LvjzHSG66KB5aNNSdM8jP7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 03 Aug 2023 12:21:44 +0000</pubDate>                                                                                                                                <updated>Thu, 03 Aug 2023 13:29:46 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (Ross Kelly) ]]></author>                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/LvjzHSG66KB5aNNSdM8jP7-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Microsoft logo on a white background with a silhouette of a hand holding a padlock in the foreground denoting security]]></media:description>                                                            <media:text><![CDATA[Microsoft logo on a white background with a silhouette of a hand holding a padlock in the foreground denoting security]]></media:text>
                                <media:title type="plain"><![CDATA[Microsoft logo on a white background with a silhouette of a hand holding a padlock in the foreground denoting security]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/LvjzHSG66KB5aNNSdM8jP7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Tenable CEO Amit Yoran has accused Microsoft of "negligent practices” for its response to security vulnerabilities in a scathing critique of the tech giant. </p><p>Yoran criticized Microsoft’s alleged “lack of transparency” regarding <a href="https://www.itpro.com/security/data-breaches/data-breach-costs-businesses-lose-73-of-their-income-in-the-year-following-an-incident">data breaches</a> and security vulnerabilities, suggesting that the company has deliberately kept customers in the dark. </p><p>This criticism focuses specifically on the tech giant’s response to a recent Chinese-backed cyber espionage campaign which targeted senior US government officials. </p><p>The incident enabled threat actors to access officials’ emails, and at the time Microsoft said the attack was part of a targeted campaign against the US. </p><p>Last week, US senator Ron Wyden penned a letter calling Microsoft “negiligent” in its response to the attacks and called on the Justice Department to investigate whether the company’s approach broke the law.</p><p>Yoran echoed Wyden’s comments in his broadside against the firm, claiming that the company’s track record on security is “even worse than we thought”. </p><p>“Microsoft’s lack of transparency applies to breaches, irresponsible security practices, and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” he said. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="L47gbigPjNi8zfgWvSgmk3" name="L47gbigPjNi8zfgWvSgmk3.png" caption="" alt="Whitepaper cover with title, text, and SWOT analysis chart" src="https://cdn.mos.cms.futurecdn.net/L47gbigPjNi8zfgWvSgmk3.png" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: IBM)</span></figcaption></figure><p class="fancy-box__body-text"><strong>Magic quadrant for Security Information and Event Management (SIEM)</strong></p><p class="fancy-box__body-text"><em>This report assesses the current SIEM solutions in the market, looking at threat detection and response capabilities.</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/security-information-and-event-management-siem/369560/2022-magic-quadrant-for-security"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>“What you hear from Microsoft is ‘just trust us’, but what you get back is very little transparency and a culture of toxic obfuscation. </p><p>“How can a CISO, board of directors, or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought,” Yoran added. </p><p>In March this year, Tenable researchers uncovered a vulnerability in <a href="https://www.itpro.com/cloud/cloud-storage/368019/microsoft-cloud-storage-is-onedrive-or-azure-right-for-your-business">Microsoft’s Azure</a> platform that would enable attackers to access applications and sensitive data, such as authentication secrets. </p><p>Yoran pointed to this incident as an example of Microsoft’s alleged negligent practices, noting that it took more than 90 days to implement a “partial fix” after researchers notified the firm. </p><p>“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran said. “They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.”</p><p>“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers&apos; networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.”</p><h2 id="is-microsoft-truly-x2018-negligent-x2019">Is Microsoft truly ‘negligent’?</h2><p>Yoran’s public criticism of Microsoft raises questions over the company’s approach to security in recent years. According to data from Google Project Zero, Microsoft products have accounted for around 42.5% of all zero days discovered since 2014. </p><p>While these statistics might raise eyebrows, the scale of Microsoft’s global footprint does indeed put things into perspective. Microsoft software is used by more than 1.4 billion people globally, including millions of organizations such as US government departments. </p><p>Within that context, Microsoft being responsible for a significant volume of zero days doesn’t point to outright negligence, but more of a byproduct of its size and scope of integration within organizations. </p><p>Jake Moore, global cyber security advisor at ESET, told <em>ITPro </em>that although the firm may seem to be turning a blind eye to known vulnerabilities, critics must remember that updates from vendors large and small are all known to cause issues, not just Microsoft’s. </p><p>“Keeping systems completely secure is a challenging role, if not impossible, but it is best approached using as many layers of defense as possible,” he said. </p><p>“<a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">Zero days</a> naturally need vital attention but when attackers strike it can be relentless and often on large swathes making patches that much more difficult to produce, control, and distribute.”</p><p>However, Moore added that the length of time between vulnerability disclosure and remediation in the Tenable research should be a cause for concern for organisations.</p><p>“Over 100 days is naturally concerning for clients but this is yet another important reminder that no one single security measure will protect entities on their own and multiple defenses are required to remain best protected.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple patches zero day linked to spyware campaign ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-attacks/apple-patches-zero-day-linked-to-spyware-campaign</link>
                                                                            <description>
                            <![CDATA[ Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vRCeNT4CJAbEXYVxZpvMyL</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HRjftwBWwVhDQ6veatcNC4-1280-80.jpeg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 25 Jul 2023 13:00:00 +0000</pubDate>                                                                                                                                <updated>Mon, 31 Jul 2023 11:46:50 +0000</updated>
                                                                                                                                            <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (Rory Bathgate) ]]></author>                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/HRjftwBWwVhDQ6veatcNC4-1280-80.jpeg">
                                                            <media:credit><![CDATA[Future]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Apple zero day: A close up of the iPhone 14 Pro&#039;s camera system]]></media:description>                                                            <media:text><![CDATA[Apple zero day: A close up of the iPhone 14 Pro&#039;s camera system]]></media:text>
                                <media:title type="plain"><![CDATA[Apple zero day: A close up of the iPhone 14 Pro&#039;s camera system]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HRjftwBWwVhDQ6veatcNC4-1280-80.jpeg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has released a patch for a number of vulnerabilities including an actively-exploited zero-day vulnerability linked to an ongoing spyware campaign.</p><p>The zero-day flaw, tracked as CVE-2023-38606, made it possible for an app to alter the state of a device’s kernel which could allow an attacker to leverage root-level control over a compromised device.</p><p>It was reported by researchers at Kaspersky Lab as part of an ongoing effort to uncover a sophisticated attack chain used as a vector in a spyware operation dubbed ‘Operation Triangulation’.</p><p>Researchers <a href="https://www.itpro.com/security/malware/kaspersky-traces-spyware-attack-on-staff-ios-devices-back-to-2019"><u>first reported the spyware</u></a> in June, after uncovering evidence to suggest that an advanced persistent threat (APT) campaign had been working against Kaspersky staff since 2019.</p><p>At the time, it was noted that the spyware arrives through a malicious iMessage. This subsequently activates a payload using a zero-click method, so goes entirely unnoticed by victims.</p><p>Apple’s update also introduced fixes to a WebKit remote code execution flaw (CVE-2023-38594), a libxpc vulnerability that could allow an app to obtain root privileges (CVE-2023-38565), and an Apple Neural Engine flaw linked to arbitrary code execution (CVE-2023-38136).</p><p>In all, updates were released for:</p><ul><li><strong>Safari 16.6</strong> (macOS Big Sur and macOS Monterey)</li><li><strong>iOS 16.6, iPadOS 16.6</strong> (iPhone 8 and later, all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)</li><li><strong>iOS 15.7.8 and iPadOS 15.7.8 </strong>(all models of iPhone 6s and iPhone 7, 1st generation iPhone SE, iPad Air 2, 4th generation iPad mini, and 7th generation iPod touch</li><li><strong>macOS Ventura 13.5</strong></li><li><strong>macOS Monterey 12.6.8</strong></li><li><strong>macOS Big Sur 11.7.9</strong></li><li><strong>tvOS 16.6 </strong>(All models of Apple TV 4K and Apple TV HD)</li><li><strong>watchOS 9.6</strong> (Apple Watch Series 4 and later)</li></ul><p>In the weeks since Operation Triangulation was made public, researchers have performed more detailed analyses on the vector and exfiltration implant used by the spyware’s operators. </p><p>The threat actors exploit the <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale"><u>zero day</u></a> (CVE-2023-38606) to gain root privileges on a victim’s iOS device, and then deploy the implant, which Kaspersky dubbed ‘TriangleDB’.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr">The story of the #iOSTriangulation in-the-wild 0-days continues! CVE-2023-38606 is another kernel vulnerability that was used in the 0-click exploit chain. Discovered by Valentin Pashkov, Mikhail Vinogradov, @kucher1n, @bzvr_, and yours truly. Update all your Apple devices! pic.twitter.com/ReqCg4Pa73<a href="https://twitter.com/oct0xor/status/1683563098571931648">July 24, 2023</a></p></blockquote><div class="see-more__filter"></div></div><p>This works to alter or delete files, exfiltrate key files such as certificates or keys, and send precise geolocation data back to the operators. </p><p>Removing the <a href="https://www.itpro.com/spyware/30001/what-is-spyware"><u>spyware</u></a> via a factory reset of the phone removes all evidence of the attack, and as it operates in a device’s <a href="https://www.itpro.com/hardware/30353/what-is-cache-memory"><u>memory</u></a> it has proved difficult to track. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="WEwTtifRTfa7TG23aGmRJ6" name="Top 10 ways to eliminate_listing.jpg" caption="" alt="Top ten ways to eliminate cyber threats: eBook cover with green title over image of man using a laptop wearing a lanyard" src="https://cdn.mos.cms.futurecdn.net/WEwTtifRTfa7TG23aGmRJ6.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: ServiceNow)</span></figcaption></figure><p class="fancy-box__body-text"><strong>Top ten ways to anticipate, eliminate, and defeat cyber threats like a boss</strong></p><p class="fancy-box__body-text"><em>Learn how to improve your cyber resilience and vulnerability management.</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/top-ten-ways-to-anticipate-eliminate-and-defeat-cyber-threats-like-a-boss"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>By default, TriangleDB deletes itself after 30 days, though attackers can extend or shorten this period through commands send from their command-and-control (C2) infrastructure.</p><p>Researchers also found that TriangleDB’s configuration class contains a method titled ‘populateWithFieldsMacOSOnly’, leading them to warn that future such spyware attacks could occur against macOS devices.</p><p>“An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” Apple <a href="https://support.apple.com/en-gb/HT213841"><u>wrote</u></a>.</p><p>The firm stated that the issue has been resolved using an improved state management method, but did not go into further detail on what this entails.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-attacks/moveit-cyber-attack-cl0p-sparks-speculation-that-its-lost-control-of-hack</link>
                                                                            <description>
                            <![CDATA[ The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">jX8RMDqWcwZnEKHxnqoqxd</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/8UD9Rbm37RcjHhKFrHRB96-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 07 Jun 2023 11:09:35 +0000</pubDate>                                                                                                                                <updated>Tue, 13 Jun 2023 09:31:16 +0000</updated>
                                                                                                                                            <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ connor.jones@futurenet.com (Connor Jones) ]]></author>                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Connor Jones is the News and Analysis Editor at ITPro, CloudPro, and ChannelPro. As the brands’ leader for news, he welcomes pitches on all topics, and he personally still reports breaking news on the topics of cyber security, software, and Big Tech firms.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;He has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs.&lt;/p&gt;
&lt;p&gt;Connor is currently in his third year at ITPro, but has been a journalist for much longer, having written for the likes of Red Bull Esports and UNILAD. He has a master’s degree in Magazine Journalism from one of the UK’s leading journalism departments at the University of Sheffield, as well as an undergraduate degree in English Language from Sheffield Hallam University.&lt;/p&gt;
&lt;p&gt;When he’s not hitting the phones trying to squeeze stories out of sources and press offices, in his free time Connor studies software development, is a keen cook, and enjoys leading an active life through cycling, hiking, racket sports, and weightlifting.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/8UD9Rbm37RcjHhKFrHRB96-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[MOVEit: Digital security padlock with encrypted binary code on futuristic circuit board]]></media:description>                                                            <media:text><![CDATA[MOVEit: Digital security padlock with encrypted binary code on futuristic circuit board]]></media:text>
                                <media:title type="plain"><![CDATA[MOVEit: Digital security padlock with encrypted binary code on futuristic circuit board]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/8UD9Rbm37RcjHhKFrHRB96-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The cyber criminals believed to be behind the MOVEit File Transfer supply chain attack have taken the unusual step of demanding victims contact them first to negotiate extortion payments.</p><p>In a broken-English statement published on its deep web blog, Cl0p announced victims have seven days to contact the group to negotiate a payment before their data is posted online.</p><p>The approach taken by the group is atypical from most extortion scenarios which usually sees the attackers approach the victims first.</p><p>Members of the cyber security industry have speculated that Cl0p, which was blamed for the supply chain attack by Microsoft <a href="https://www.itpro.com/security/data-breaches/microsoft-says-it-knows-who-was-behind-cyber-attacks-on-moveit-transfer"><u>earlier this week</u></a>, has ingested too much data for it to identify the company to which it belongs.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="koNvE9zmQFam7EYpnGTT9m" name="ThreatLabz Report_The state of encrypted attacks_listing.jfif.jpg" caption="" alt="Whitepaper cover with title over image of high rise buildings with red circular digital icons dotted around" src="https://cdn.mos.cms.futurecdn.net/koNvE9zmQFam7EYpnGTT9m.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Zscaler)</span></figcaption></figure><p class="fancy-box__body-text"><strong>ThreatLabz Report: The state of encrypted attacks</strong></p><p class="fancy-box__body-text"><em>What&apos;s hiding in your web traffic?</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/phishing/threatlabz-report-the-state-of-encrypted-attacks"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>“The attackers have chosen to ask their victims to begin negotiation tactics by reaching out initially but this approach deviates from the norm as typically ransom demands are sent to the targeted organizations with a predetermined amount chosen by the hackers,” said Jake Moore, global cyber security advisor at ESET.</p><p>”This decision is likely to stem from the overwhelming magnitude of the ongoing hack which is still affecting large numbers of systems worldwide and potentially overpowering the capabilities of Cl0p itself.”</p><p>“Sure looks like they can’t keep up with the scale of the hack,” said Dominic Alvieri, cyber security researcher, in a <a href="https://twitter.com/AlvieriD/status/1666348738216972291"><u>tweet</u></a>.</p><p>Cl0p gave victims a deadline of 14 June to begin negotiations. Failure to contact the attackers will lead to the publication of stolen data, according to the group’s statement.</p><p>The information provided was unclear in places. A final deadline of 14 June was given, but it’s not certain if victims can contact Cl0p on the 14th and still benefit from the three-day negotiation window or not.</p><p>Cl0p also stated that victims’ chats will be closed and its data then published after ten days of non-productive talks, adding to the confusion around the true absolute final deadline for victims.</p><p>The attackers said data belonging to government, city, or police services has already been erased.</p><p>“You do not need to contact us. We have no interest to expose such information,” Cl0p said.</p><p>The reason for these exceptions is likely rooted in the social pressure placed on cyber criminal operations to not target organizations with shallow pockets and those that operate essential services <a href="https://www.itpro.com/security/cyber-attacks/369637/second-cyber-attack-french-hospital-forcing-patients-to-be-relocated"><u>such as hospitals</u></a>.</p><p>Regardless, experts have advised to remain cautious since cyber criminals have been known to lie in such statements.</p><p>“Cl0p claims to have deleted information relating to public sector organizations but from what we have learnt in the past is that we cannot trust the words of cyber criminals and therefore, anyone who believes their data has been stolen must remain on high alert,” said Moore.</p><p>“Although it is never advised to pay ransom demands to cyber criminals, there is an inevitable risk that some of the targeted <a href="https://www.itpro.com/security/ransomware/362729/uk-businesses-most-likely-pay-ransomware-demands"><u>companies will succumb to the pressure</u></a>. This will only fuel the fire and continue the cycle of this devastating criminal group. </p><p>“It is more important that the companies affected are open and honest with their employees and customers offering support in how to protect themselves and how to spot follow-up <a href="https://www.itpro.com/security/29093/what-is-phishing"><u>phishing</u></a> and <a href="https://www.itpro.com/security/phishing/361625/what-is-smishing"><u>smishing</u></a> attacks.”</p><h2 id="what-is-the-moveit-cyber-attack">What is the MOVEit cyber attack?</h2><p>News broke of the exploitation of a zero-day vulnerability in the MOVEit file transfer product, developed by Progress subsidiary Ipswitch, on 31 May.</p><p>The application is used by thousands of major organizations across the world, and has already impacted the likes of British Airways, Aer Lingus, the BBC, and UK retailer Boots.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zcgryVGkujpbfYJvspEN6b" name="Three ways to evolve your security operations_listing.jpg" caption="" alt="Red whitepaper cover with image of office building from the ground up" src="https://cdn.mos.cms.futurecdn.net/zcgryVGkujpbfYJvspEN6b.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Trend Micro)</span></figcaption></figure><p class="fancy-box__body-text"><strong>Three ways to evolve your security operations</strong></p><p class="fancy-box__body-text"><em>Why current approaches aren’t working</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/three-ways-to-evolve-your-security-operations"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>Experts at the time revealed that their telemetry indicated that other victims may include banks and areas of the US government.</p><p>The vulnerability, tracked as CVE-2023-34362, has been added to CISA’s known exploited vulnerabilities list which compels federal agencies to apply available patches expeditiously.</p><p>Every version of MOVEit Transfer is thought to be affected by the vulnerability and organizations have been urged to <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023"><u>apply the patch released last week</u></a>.</p><p>Microsoft Threat Intelligence attributed the <a href="https://www.itpro.com/business-operations/supply-chain-management-scm/361208/supply-chain-cyber-security-breach-impacted"><u>supply chain attack</u></a> to cyber criminal outfit Cl0p, believed to be operating out of Russia.</p><p>Cl0p is known for its namesake ransomware as a service (RaaS) but has notoriously adopted a pure extortion approach this year. </p><p>The group is also believed to be behind the <a href="https://www.itpro.com/security/data-breaches/370409/the-goanywhere-data-breach-explained"><u>attack on Fortra’s GoAnywhere MFT product</u></a>. </p><p>The exploitation of a vulnerability in the software led to successful attacks on more than 130 organizations, by the group’s own calculations.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft says it knows who was behind cyber attacks on MOVEit Transfer ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-breaches/microsoft-says-it-knows-who-was-behind-cyber-attacks-on-moveit-transfer</link>
                                                                            <description>
                            <![CDATA[ Dozens of organizations may have already lost data to hackers exploiting the critical flaw ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">6gcohEiLkMVr5rmboiHYqS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NEjje87dAuG8WVNiQvoKSF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 05 Jun 2023 13:41:35 +0000</pubDate>                                                                                                                                <updated>Tue, 13 Jun 2023 08:26:42 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (Rory Bathgate) ]]></author>                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NEjje87dAuG8WVNiQvoKSF-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A series of blue blocks with binary code displayed alongside yellow padlocks]]></media:description>                                                            <media:text><![CDATA[A series of blue blocks with binary code displayed alongside yellow padlocks]]></media:text>
                                <media:title type="plain"><![CDATA[A series of blue blocks with binary code displayed alongside yellow padlocks]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NEjje87dAuG8WVNiQvoKSF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has named Lace Tempest as the threat group behind attacks on MOVEit Transfer, a service that handles business-critical file transfers for major banks, credit unions, and federal agencies.</p><p>Hackers exploited a flaw, tracked as CVE-2023-34362, to obtain access to the database of MOVEit Transfer, a widely-used secure managed file transfer application.</p><p>Microsoft Threat Intelligence said the attack pattern matched that of the Lace Tempest group, also known as FIN11, which runs the Cl0p <a href="https://www.itpro.com/security/29241/what-are-the-different-types-of-ransomware"><u>ransomware-as-a-service (RaaS)</u></a>. </p><p>At this stage, the contents of affected databases are unclear as no stolen data has been posted on the <a href="https://www.itpro.com/security/32117/what-is-the-dark-web"><u>dark web</u></a>.</p><p>The hacker group has become known for data theft and extortion through the exploitation of vulnerabilities and deploying ransomware. </p><p>Microsoft researchers matched behaviors from the attacks with those from recent Lace Tempest activity, although it has not detailed its specific evidence for attribution.</p><p>The group has exploited similar vulnerabilities in past operations, and Mandiant <a href="https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"><u>noted</u></a> both the MOVEit attackers and FIN11 have made use of data exfiltration web shells.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr">Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j<a href="https://twitter.com/MsftSecIntel/status/1665537730946670595">June 5, 2023</a></p></blockquote><div class="see-more__filter"></div></div><p>In attacks observed in the wild, attackers exploited the flaw using <a href="https://www.itpro.com/hacking/34441/how-does-a-sql-injection-attack-work"><u>SQL injection</u></a> to escalate their privileges, allowing them to gain access to a victim’s MOVEit Transfer database and exfiltrate or alter files.</p><p>Thousands of organizations are understood to use MOVEit Transfer in their operations.</p><p>MOVEit Transfer was developed by Ipswitch, a subsidiary of Progress Software Corporation, which released a <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023" target="_blank"><u>notice</u></a> on the breach on May 31.</p><p>“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” Progress wrote.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="yJT8tAEv5WVR26o854DXBC" name="Trend Micro security predictions for 2023_listing.jpg" caption="" alt="Whitepaper cover with title over a shattered glass style image of a female wearing a VR headset" src="https://cdn.mos.cms.futurecdn.net/yJT8tAEv5WVR26o854DXBC.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Trend Micro)</span></figcaption></figure><p class="fancy-box__body-text"><strong>Trend Micro security predictions for 2023</strong></p><p class="fancy-box__body-text"><em>Prioritise cyber security strategies on capabilities rather than costs</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/370157/trend-micro-security-predictions-for-2023"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>Every version of MOVEit Transfer, including MOVEit Cloud, are thought to be affected by the vulnerability. Progress has released patches for each version, but reports of databases that were compromised in the interim are expected to continue in the coming weeks.</p><p>Progress has urged customers to delete .cmdline script files and the file ‘human2.aspx’, remove unauthorized accounts, and analyze logs for large file transfers or access to Azure Blob Storage Keys.</p><p>It also recommended MOVEit Transfer users change their firewall settings to block HTTP and HTTPS traffic to the application through ports 80 and 443 until such time as the relevant patch has been applied.</p><p>A MOVEit spokesperson told <em>ITPro</em> that the company cut off web access to MOVEit Cloud, sent customers mitigation steps, and launched an investigation after it found the flaw. It re-enabled Cloud and patched both it and MOVEit Transfer within 48 hours.</p><p>“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures," a MOVEit spokesperson told ITPro. </p><p>"We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.</p><p>"Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”</p><p>Following the public disclosure of the vulnerability, security teams and system admins across the thousands of firms that use MOVEit to transfer sensitive information have been assessing their vulnerability and taking to forums to compare notes.</p><p>“Jack Henry uses MOVEit for almost all their automation and sending of files to thousands of clients banks/credit unions/providers multiple times per day,” <a href="https://www.reddit.com/r/msp/comments/13xjs1y/comment/jmhxllw/" target="_blank"><u>wrote</u></a> one user of the sys admins subreddit.</p><p>Cyber security researcher Kevin Beaumont tweeted that according to his analysis, several organizations, including some in banking and the US government, have had data stolen through the attacks.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr">Microsoft are attributing the #moveIT attacks to cl0p ransomware. I’ve been tracking this - there are a double digit number of orgs who had data stolen, that includes multiple US Government and banking orgs. https://t.co/OJF5XnQO9c<a href="https://twitter.com/GossiTheDog/status/1665618882957127681">June 5, 2023</a></p></blockquote><div class="see-more__filter"></div></div><p>“MoveIT Transfer is used across the US Government as a recommended solution and all of them were vulnerable (and in many cases still are as many orgs haven’t patched yet),” he wrote.</p><p>The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-34362 to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" target="_blank"><u>exploited vulnerabilities list</u></a>, which compels all federal agencies to apply patches against the flaw by June 23.</p><p>Mandiant had previously attributed the attacks to a new threat group it tracked as UNC4857, and predicted that victims were likely to receive ransom emails in coming days.</p><p>Researchers noted the similarities between UNC4857 activity and that of FIN11, but did not definitively prove an overlap between the two for lack of evidence.</p><p>It found that attacks had been occurring since at least May 27, and identified a web shell dubbed ‘LEMURLOOT’ that the attackers have deployed following exploitation. This is used to download files, generate enumeration commands within MOVEit, pass config data back to attackers, and alter user accounts.</p><p>Detection of LEMURLOOT samples on repositories from Germany, Italy, and Pakistan led researchers to suggest that the group has also targeted victims in these countries.</p><p>At the time of writing, the vulnerability has not received an official CVSS score. </p><p>“The first step for administrators utilizing MFT should be to patch the vulnerability or take the service offline until it can be patched, especially now that it is public knowledge," Darren Guccione, CEO and co-founder, Keeper Security told <em>ITPro</em>.</p><p>"While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contest ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/370317/windows-macos-and-tesla-exploits-debuted-at-pwn2own-hacking-competition</link>
                                                                            <description>
                            <![CDATA[ Researchers took home more than $375,000 in winnings on the first day of the competition ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9Vwi9X2WQYSZEyqSUf1nae</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/6JP4nYwoULENLMPR8kYKda-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 23 Mar 2023 11:30:43 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/6JP4nYwoULENLMPR8kYKda-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hacker typing on a keyboard]]></media:description>                                                            <media:text><![CDATA[Hacker typing on a keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[Hacker typing on a keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/6JP4nYwoULENLMPR8kYKda-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researchers have successfully exploited zero-day vulnerabilities found in macOS, Windows, and Tesla software at the Zero Day Initiative’s Pwn2Own conference. </p><p>Day one of the 2023 competition, hosted in Vancouver, saw 12 unique zero-day vulnerabilities exploited in Microsoft SharePoint, Windows 11, Adobe Reader, Oracle VirtualBox, Tesla Gateway, and macOS. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/361455/experts-break-into-samsung-galaxy-s21-twice-at-pwn2own-hacking-event" data-original-url="/security/hacking/361455/experts-break-into-samsung-galaxy-s21-twice-at-pwn2own-hacking-event">Researcher awarded $50,000 for discovering Samsung Galaxy S21 hack</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/370264/windows-admins-plagued-issues-outlook-zero-day-patch" data-original-url="/security/370264/windows-admins-plagued-issues-outlook-zero-day-patch">Windows admins plagued with issues after installing Outlook zero day patch</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/369713/apple-issues-fix-for-actively-exploited-webkit-zero-day-vulnerability" data-original-url="/security/369713/apple-issues-fix-for-actively-exploited-webkit-zero-day-vulnerability">Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability</a></p></div></div><p>Abdul Aziz Hariri of security firm Haboob successfully exploited vulnerabilities in Adobe Reader. Hariri used a six-bug chained exploit to escape the Adobe sandbox and circumvent APIs on macOS, earning a $50,000 prize in the process. </p><p>A key talking point on day one of Pwn2Own came when STAR Labs successfully executed a chained exploit against <a href="https://www.itpro.com/software/microsoft-office/358331/microsoft-more-than-doubles-file-size-limit-for-sharepoint-teams" data-original-url="https://www.itpro.com/software/microsoft-office/358331/microsoft-more-than-doubles-file-size-limit-for-sharepoint-teams">Microsoft SharePoint</a>. The team also hacked <a href="https://www.itpro.com/operating-systems/25139/ubuntu-vs-mint-which-one-is-better" data-original-url="https://www.itpro.com/operating-systems/25139/ubuntu-vs-mint-which-one-is-better">Ubuntu</a> Desktop with a previously known vulnerability which saw them scoop a combined prize of $115,000. </p><p>Synacktiv secured a $140,000 prize haul - and a Tesla Model 3 - after hacking Apple’s <a href="https://www.itpro.com/software/operating-systems/369384/security-features-apple-macos-ventura-compelling-business-upgrade" data-original-url="https://www.itpro.com/software/operating-systems/369384/security-features-apple-macos-ventura-compelling-business-upgrade">macOS</a> kernel through an elevation of privilege attack as well as a successful vulnerability exploit of Tesla Gateway. This attack saw the team execute a time-of-check to time-of-use (TOCTOU) attack against the Gateway.</p><p>Tesla’s Gateway is a system in its Powerwall product which controls a vehicle’s connection to the grid. The Gateway automatically detects outages and provides a “seamless transition” to backup power in the event of an outage. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="VrzXjkVbXZ2DQ9RKwaQQhV" name="VrzXjkVbXZ2DQ9RKwaQQhV.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/VrzXjkVbXZ2DQ9RKwaQQhV.png" mos="https://cdn.mos.cms.futurecdn.net/VrzXjkVbXZ2DQ9RKwaQQhV.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Zero Trust myths: Fact or fiction?</strong></p><p class="fancy-box__body-text">What the myths get right and wrong about Zero Trust</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/370183/zero-trust-myths-fact-or-fiction" data-original-url="/security/zero-day-exploit/370183/zero-trust-myths-fact-or-fiction">FREE DOWNLOAD</a></p></div></div><p>This isn’t the first time Tesla Gateway has been exploited successfully. In 2020, researchers at security firm Rapid7 <a href="https://www.rapid7.com/blog/post/2020/11/17/dont-put-it-on-the-internet-tesla-backup-gateway-edition">highlighted security risks</a> due to the Gateway’s connection to the internet. </p><p>Meanwhile, security researcher Marcin Wiazowski used an improper input validation bug to elevate privileges on <a href="https://www.itpro.com/operating-systems/microsoft-windows/369564/windows-11-tips-and-tricks-for-working-professionals" data-original-url="https://www.itpro.com/operating-systems/microsoft-windows/369564/windows-11-tips-and-tricks-for-working-professionals">Windows 11</a> which saw him secure a $30,000 prize. </p><p>Bien Pham rounded off the first day with a successful exploit against Oracle VirtualBox, earning a prize of $40,000. </p><h2 id="more-to-come-at-pwn2own">More to come at Pwn2Own </h2><p>The annual competition saw $375,000 in prizes awarded over the course of day one, with Justin Childs, head of threat awareness at the Zero Day Initiative, stating that the contest is “well on its way to a million dollars”. </p><p>Last year’s contest saw researchers take home more than $1.1 million in winnings after hacking Windows 11 a total of six times and demonstrating three critical Microsoft Teams zero days. </p><p>With two more days still to run at Pwn2Own, Childs said there’s much more to come. </p><p>This includes demos for zero-day exploits in Microsoft Teams and follow-up attempts on Ubuntu Desktop and Oracle VirtualBox. </p><p>Tesla’s Infotainment Unconfined Root will also be in the crosshairs while day three will see additional attempts on Windows 11, Teams, and VMware Workstation. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The IT manager's guide to getting home in time for dinner ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/network-security/370217/the-it-managers-guide-to-getting-home-in-time-for-dinner</link>
                                                                            <description>
                            <![CDATA[ A cloud based networking solution that does away with configurations ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">fcxNgw12ecG9M2U3J1Ycan</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/goH3DUReMuea7tNkdVG39a-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 14:26:53 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Firewalls]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/goH3DUReMuea7tNkdVG39a-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Whitepaper cover with title and image of a book with a cartoon image of a man up to the eyeballs in IT Helpdesk tickets / requests]]></media:description>                                                            <media:text><![CDATA[Whitepaper cover with title and image of a book with a cartoon image of a man up to the eyeballs in IT Helpdesk tickets / requests]]></media:text>
                                <media:title type="plain"><![CDATA[Whitepaper cover with title and image of a book with a cartoon image of a man up to the eyeballs in IT Helpdesk tickets / requests]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/goH3DUReMuea7tNkdVG39a-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>For IT managers it never ends. In the morning it’s endless tickets about individual desktop issues, then a database isn’t responding, a server goes down, or for some unknown reason backups are failing. Even the most diligent administrator gets hit with a pile of issues, and as always they tend to cluster around the worst times of day like early morning or quitting time.</p><p>That’s why many IT managers look to simplify their systems as much as possible. Not only does it make life easier, but it also increases the chance that you won’t be staying late to fix some obscure server issue. Some things just can’t be pared down, of course, but what if we told you edge networking wasn’t one of those things?</p><p>Download now to learn more about how Zero Trust Network Access, a dependable Firewall-as-a-Service, and a Secure Web Gateway wrapped up in a single, secure, networking package can get you home in time for dinner.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=11034"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Zero Trust myths: Fact or fiction? ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/370183/zero-trust-myths-fact-or-fiction</link>
                                                                            <description>
                            <![CDATA[ What the myths get right and wrong about Zero Trust ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">hMAMMmLJ9CASmrFsMyXjT</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VrzXjkVbXZ2DQ9RKwaQQhV-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 14:20:10 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[VPN]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/VrzXjkVbXZ2DQ9RKwaQQhV-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Webinar screen with title and contributor images]]></media:description>                                                            <media:text><![CDATA[Webinar screen with title and contributor images]]></media:text>
                                <media:title type="plain"><![CDATA[Webinar screen with title and contributor images]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VrzXjkVbXZ2DQ9RKwaQQhV-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>In this webinar you will:</p><ul><li>Learn how Zero Trust can help your organisations' network security</li><li>Understand how Zero Trust solves challenges of modern security deployment</li><li>Discover just how new (or not) the Zero Trust concept is</li><li>Determine the difference between Zero Trust and legacy business VPNs</li></ul><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10998"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Achieving zero trust for corporate networks ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/network-security/370182/achieving-zero-trust-for-corporate-networks</link>
                                                                            <description>
                            <![CDATA[ Zero trust is a new way of thinking about information security ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cgBDgEoXcw4Bir2rV8uUPs</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/GB7YYAdRm3LRnVVscE6aUg-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 13:00:53 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Networking]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/GB7YYAdRm3LRnVVscE6aUg-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Webinar title screen with images of contributors]]></media:description>                                                            <media:text><![CDATA[Webinar title screen with images of contributors]]></media:text>
                                <media:title type="plain"><![CDATA[Webinar title screen with images of contributors]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/GB7YYAdRm3LRnVVscE6aUg-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Between the rise in social-engineering attacks and the Biden Administration’s executive order for mandating zero-trust initiatives across government agency networks, demand for zero trust is at an all-time high.</p><p>In this webinar, experts discuss the growing importance of zero trust models to the future of cybersecurity. The panel of speakers follow their discussion with a real time demonstration of Perimeter 81’s zero trust offering.</p><p>Watch the full webcast to learn more about zero trust initiatives and see how partnering with Perimeter 81 could accelerate your zero-trust journey.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10997"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Organisations seek SSE solutions to help ease pain of remote work ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/network-security/370181/organisations-seek-sse-solutions-to-help-ease-pain-of-remote-work</link>
                                                                            <description>
                            <![CDATA[ How ZTNA wins the network security game ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">peauAWBGFYgiKPBwrQwSNN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/PzPYrQG3haFGEtLbFLjsDN-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 12:57:21 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cloud Security]]></category>
                                                    <category><![CDATA[Cloud]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/PzPYrQG3haFGEtLbFLjsDN-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Blue whitepaper cover with title over a digital image of a book on top of a white surface with stars in the background ]]></media:description>                                                            <media:text><![CDATA[Blue whitepaper cover with title over a digital image of a book on top of a white surface with stars in the background ]]></media:text>
                                <media:title type="plain"><![CDATA[Blue whitepaper cover with title over a digital image of a book on top of a white surface with stars in the background ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/PzPYrQG3haFGEtLbFLjsDN-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Many businesses today are rethinking their network security solutions since the adoption of remote and hybrid work, and considering the multiple cyber security options now available. For the majority, the best solution would be to introduce new elements - like Zero Trust - that can be implemented alongside legacy infrastructure.</p><p>This study shares how converged network security - Security Services Edge (SSE) - could be the solution to achieve this, offering integrated cloud-based abilities without compromising existing environments.</p><p>Download now for the full results of this study, discover the main challenges in managing network security, including remote access, and realise the numerous drivers for adopting SSE.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10991"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ZTNA vs on-premises VPN ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/mobile/remote-access/370180/ztna-vs-on-premises-vpn</link>
                                                                            <description>
                            <![CDATA[ How ZTNA wins the network security game ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">hjhUqyWjcDkSocDS3UeSbN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NeckmEo98JWfdotfzrjgbk-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 12:52:38 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[VPN]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/NeckmEo98JWfdotfzrjgbk-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Whitepaper cover with digital images of two books, one open and one with digital image of a cloud and person icon in the centre, with square graphics of a network, shield, and verified icons]]></media:description>                                                            <media:text><![CDATA[Whitepaper cover with digital images of two books, one open and one with digital image of a cloud and person icon in the centre, with square graphics of a network, shield, and verified icons]]></media:text>
                                <media:title type="plain"><![CDATA[Whitepaper cover with digital images of two books, one open and one with digital image of a cloud and person icon in the centre, with square graphics of a network, shield, and verified icons]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NeckmEo98JWfdotfzrjgbk-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>IT leaders today are tasked with finding innovative ways to secure their remote workforce, with legacy hardware firewall VPNs no longer able to meet today’s security needs. One solution is enterprise level network security with Zero Trust, that enables network access for users to only what they need to perform their roles.</p><p>This guide further explains the benefits of a Zero Trust Network Access (ZTNA) security model and how organisations can significantly reduce the level of exposure to cyber attacks and limit unwanted access to their data.</p><p>Download now to see how ZTNA compares to On-premise Firewall VPNs, and how it can offer a safer hybrid work environment.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10984"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The WFH cyber security checklist ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/mobile/remote-access/370179/the-wfh-cyber-security-checklist</link>
                                                                            <description>
                            <![CDATA[ Ten ways to win the remote access game with ZTNA ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">h2rHrEMqELJE8dPmCx58uX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HZj96Z5myU4QbgD5zye974-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 12:43:55 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Networking]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/HZj96Z5myU4QbgD5zye974-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Dark whitepaper cover with title and image of two books, one open and one with the author on the front cover]]></media:description>                                                            <media:text><![CDATA[Dark whitepaper cover with title and image of two books, one open and one with the author on the front cover]]></media:text>
                                <media:title type="plain"><![CDATA[Dark whitepaper cover with title and image of two books, one open and one with the author on the front cover]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HZj96Z5myU4QbgD5zye974-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Since the global pandemic, the modern workforce has become largely remote in a bid to continue business operations. With more remote devices now accessing the company network from multiple locations, and the adoption of cloud-based collaborative tools, cyber criminals have revelled in exploiting vulnerabilities following this shift.</p><p>With employees today determining how they work - the majority opting for remote/hybrid opportunities - this resource can help organisations ensure the security of their remote employees with ten clear cyber security checks.</p><p>Download now to learn how to radically simplify your cyber security and discover the tools that can meet the needs of both your remote workforce, and deliver the robust protection your IT teams require.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10983"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The essential guide to preventing ransomware attacks ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/ransomware/370178/the-essential-guide-to-preventing-ransomware-attacks</link>
                                                                            <description>
                            <![CDATA[ Vital tips and guidelines to protect your business using ZTNA and SSE ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qvtudpyJAXot2dyLgNGhrG</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/4eRfmiXyLuCUJqizfhK2R7-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 12:25:32 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/4eRfmiXyLuCUJqizfhK2R7-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Blue whitepaper cover with title and word ransomware made up of newspaper cut out letters]]></media:description>                                                            <media:text><![CDATA[Blue whitepaper cover with title and word ransomware made up of newspaper cut out letters]]></media:text>
                                <media:title type="plain"><![CDATA[Blue whitepaper cover with title and word ransomware made up of newspaper cut out letters]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/4eRfmiXyLuCUJqizfhK2R7-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>According to a recent study by Perimeter 81, two thirds of the 500 IT professionals they surveyed had experienced a ransomware attack during the course of their career, highlighting just how encompassing ransomware has become. As malicious actors continue to take advantage of zero-day vulnerabilities, the time has come for businesses to ensure they have the tools to counter attacks.</p><p>This eBook focuses on practical data to help organisations understand the full implications of a ransomware attack, from the risks associated with hardware VPNs, to how to protect your remote workforce, and shares how to select the best approach to prevent malware, both now and in the future.</p><p>Download now to learn the six principles of Zero Trust Network Access (ZTNA), and discover how this key component of Security Services Edge (SSE) can offer your business complete cloud security.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10982"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Balancing network security risks ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/cloud/hybrid-cloud/370175/balancing-network-security-risks</link>
                                                                            <description>
                            <![CDATA[ A CISO’s guide ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">km7Tc4GNTgtpbpCSFTFGBQ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/eh7ip6FoBjkCUu5fWG29oh-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Mar 2023 11:47:25 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hybrid Cloud]]></category>
                                                    <category><![CDATA[Cloud]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/eh7ip6FoBjkCUu5fWG29oh-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Blue whitepaper cover with title and logo and image of a digital stack of blocks and balls with padlock, people, and verified images on them]]></media:description>                                                            <media:text><![CDATA[Blue whitepaper cover with title and logo and image of a digital stack of blocks and balls with padlock, people, and verified images on them]]></media:text>
                                <media:title type="plain"><![CDATA[Blue whitepaper cover with title and logo and image of a digital stack of blocks and balls with padlock, people, and verified images on them]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/eh7ip6FoBjkCUu5fWG29oh-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>In today’s working environments, where many businesses have adopted a hybrid working policy, CISOs have the additional challenge of not only ensuring the security of their internal infrastructure, but also their remote employees. And with cyber threats becoming more sophisticated, it can be difficult to prioritise security networks.</p><p>This resource shares five network security practices that CISOs can adopt to mitigate these challenges. From ensuring visibility, to implementing a Zero Trust network, to establishing safety in the cloud, CISOs can ensure they’re covering all security needs.</p><p>Download now to learn how there are no shortcuts when it comes to security compliance, and discover a cloud-native network security solution that can keep all networks safe.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="45kyzij2XAsVPuNU7f5egJ" name="" alt="Perimeter 81 logo" src="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" mos="https://cdn.mos.cms.futurecdn.net/45kyzij2XAsVPuNU7f5egJ.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49988/perimeter81q1?locale=1&p=false&wp=10979"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ A roadmap to Zero Trust with Cloudflare and CrowdStrike ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/370076/a-roadmap-to-zero-trust-with-cloudflare-and-crowdstrike</link>
                                                                            <description>
                            <![CDATA[ Achieve end-to-end protection across endpoints, networks, and applications ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">3Q6QNe3GHw97W6Rim5XKC6</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/x2PxhiyBDcMwJVd3mJGTVR-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Feb 2023 17:32:27 +0000</pubDate>                                                                                                                                <updated>Mon, 13 Mar 2023 13:32:27 +0000</updated>
                                                                                                                                            <category><![CDATA[Business Apps]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/x2PxhiyBDcMwJVd3mJGTVR-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Webinar screen with topic discussion and contributor photos]]></media:description>                                                            <media:text><![CDATA[Webinar screen with topic discussion and contributor photos]]></media:text>
                                <media:title type="plain"><![CDATA[Webinar screen with topic discussion and contributor photos]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/x2PxhiyBDcMwJVd3mJGTVR-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Every security leader understands the challenges that cloud migration and distributed workforces pose to their corporate network and endpoints, and the importance of moving to a Zero Trust architecture. But the journey to Zero Trust can seem complex and difficult.</p><p>This recorded session shares how Cloudflare offers one uniform, composable platform to make this journey extremely simple and effective for organisations of all sizes.</p><p>Watch now to discover how joint customers of Cloudflare and CrowdStrike use both platforms to achieve end-to-end protection across endpoints, networks, and applications.</p><p><em>Provided by</em></p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="MotKo6zNeTjhW4aSt5zm36" name="" alt="Cloudflare logo" src="https://cdn.mos.cms.futurecdn.net/MotKo6zNeTjhW4aSt5zm36.png" mos="https://cdn.mos.cms.futurecdn.net/MotKo6zNeTjhW4aSt5zm36.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><iframe frameborder="0" height="1000" width="100%" data-lazy-priority="low" data-lazy-src="https://dennis.cvtr.io/forms/49963/cloudflare-uk-exp-zero-trust-abm-syndication-efpl098805?locale=1&p=false&wp=10850"></iframe>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Businesses urged to remain vigilant as Log4Shell issues persist one year on ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/369684/businesses-urged-to-remain-vigilant-as-log4shell-issues-persist-one-year-on</link>
                                                                            <description>
                            <![CDATA[ Thousands of businesses globally were targeted within just days of the vulnerability disclosure ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7YA7DRAhQ9ekMox8xdqQc2</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bj2B3dhGpNuKwpHFdepXxM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 09 Dec 2022 17:20:50 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bj2B3dhGpNuKwpHFdepXxM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A red warning sign with the words Log4j underneath on a blue background of ones and zeros]]></media:description>                                                            <media:text><![CDATA[A red warning sign with the words Log4j underneath on a blue background of ones and zeros]]></media:text>
                                <media:title type="plain"><![CDATA[A red warning sign with the words Log4j underneath on a blue background of ones and zeros]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bj2B3dhGpNuKwpHFdepXxM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>One year on from the disclosure of the Log4Shell vulnerability, security researchers are urging businesses to remain vigilant amidst continued threats.</p><p><a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">Log4Shell</a> is a zero-day remote code execution vulnerability in Java logger Log4j – the most popular used worldwide.</p><p>Log4j is used by a myriad of organisations and woven into virtually every internet service or application, including Twitter, Microsoft, Amazon and many more.</p><p>Naturally, when news of the vulnerability broke in December 2021, organisations globally scrambled to <a href="https://www.itpro.com/security/cyber-security/368554/how-to-protect-against-endemic-log4j-vulnerabilities" data-original-url="https://www.itpro.com/security/cyber-security/368554/how-to-protect-against-endemic-log4j-vulnerabilities">patch the Log4j flaw</a>, which security specialists rightly warned could have wide-reaching implications.</p><p>Researchers at Check Point recorded almost 200,000 attempts to exploit the vulnerability within just 24 hours of disclosure. Similarly, within the space of a week, hackers launched more than 1.2 million attacks globally off the back of the vulnerability.</p><p>In the wake of the <a href="https://www.itpro.com/security/zero-day-exploit/361847/log4shell-zero-day-vulnerability-numbers-revealed" data-original-url="https://www.itpro.com/security/zero-day-exploit/361847/log4shell-zero-day-vulnerability-numbers-revealed">disclosure</a>, cyber security firm Sophos also detected “hundreds of thousands of attempts” to remotely execute code using the vulnerability.</p><p>Analysis by other organisations, including Cloudflare, even suggested that Log4Shell may have been exploited by threat actors for some time prior to its public announcement.</p><h2 id="the-continued-threat-of-log4shell">The continued threat of Log4Shell</h2><p>And as the world entered the new year, businesses continued to feel the pressure. In February, Iranian state-sponsored threat actors used the flaw to target <a href="https://www.itpro.com/security/369531/us-federal-agency-breached-by-iranian-state-backed-hackers-via-log4shell-exploit" data-original-url="https://www.itpro.com/security/369531/us-federal-agency-breached-by-iranian-state-backed-hackers-via-log4shell-exploit">US government networks</a>.</p><p>This particular incident allowed hackers to illegally <a href="https://www.itpro.com/digital-currency/30249/what-is-cryptocurrency-mining" data-original-url="https://www.itpro.com/digital-currency/30249/what-is-cryptocurrency-mining">mine cryptocurrency</a>, steal credentials, and alter passwords.</p><p>Indeed, throughout 2022 the impact of the Log4Shell vulnerability was felt. October saw a cybercriminal group with links to the Chinese government capitalise on the flaw to launch attacks on targets in the Middle East and a host of manufacturing companies.</p><p>Research published by Tenable in November showed that the problem still lingers. As of October 2022, 72% of organisations still remained vulnerable to Log4Shell – and that includes organisations that initially patched and mitigated threats. </p><p>“As of October 2022, 29% of vulnerable assets saw the reintroduction of Log4Shell even after full remediation was achieved,” the company confirmed in a <a href="https://www.tenable.com/press-releases/tenable-research-finds-72-of-organizations-remain-vulnerable-to-nightmare-log4j">statement</a>.</p><p>Deryck Mitchelson, Field CISO at Check Point described <a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">Log4j</a> as a “game changer” due to the relative ease with which threat actors could target services and devices around the world.</p><p>“It is estimated that 1 in 10 corporate servers were exposed,” he said. “I think it was a wake-up call for an industry that was relatively blasé around the management of open source libraries and their use therein, and were perhaps too trusting of their vendors and the supply chain’s vulnerability.”</p><h2 id="what-made-log4shell-so-impactful">What made Log4Shell so impactful?</h2><p>The impact of Log4Shell was particularly acute due to rapid ease of exploitation. For threat actors, no privileged access was required to exploit the <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero day vulnerability</a>.</p><p>Similarly, the vast attack surface that could be targeted also exacerbated the situation. Millions of Java applications worldwide were affected.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="46yJM6n4z5ACRWymGnGrKP" name="46yJM6n4z5ACRWymGnGrKP.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/46yJM6n4z5ACRWymGnGrKP.jpg" mos="https://cdn.mos.cms.futurecdn.net/46yJM6n4z5ACRWymGnGrKP.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Enhancing cyber security in an expanding landscape</strong></p><p class="fancy-box__body-text">How secure connections between wireless peripherals can help mitigate cyber incidents and empower employees</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/369671/enhancing-cyber-security-in-an-expanding-landscape" data-original-url="/security/cyber-security/369671/enhancing-cyber-security-in-an-expanding-landscape">FREE DOWNLOAD</a></p></div></div><p>At the time, security specialists noted that the difficulty in finding bugs and patching would likely cause issues for a significant number of organisations.</p><p>Muhammad Yahya Patel, Security Engineer at Check Point said that Log4j acted as a “stark reminder that security needs to underpin all applications and services”.</p><p>“Time is of the essence in these situations,” he added. “It forced many companies to review their vulnerability patch policies; any delay could cost them significantly."</p><p>Patel said that organisations must remain vigilant and learn from zero-day vulnerabilities to avoid similar situations unfolding in the future.</p><p>“Don’t trust open source software without doing your own checks,” he explained. “It is good practice to take open source software and put your security controls around it.”</p><p>“Build software code securely right from the start to avoid any surprises in the future, and make sure any changes to the software pass through your security checks.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google unearths Internet Explorer zero day exploited by North Korean hackers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/369662/internet-explorer-zero-day-exploited-by-north-korean-hackers</link>
                                                                            <description>
                            <![CDATA[ The exploit was found after analysing malware embedded in documents targeting users in South Korea ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dw7q7vXwvaZgJWoWsEijLV</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZPkVWxWnnDoBi8poq2mSwJ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 08 Dec 2022 10:59:19 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zach Marzouk ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ncLkbsDMZ6b76Lc5iS6mZh.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZPkVWxWnnDoBi8poq2mSwJ-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Internet Explorer icon as seen on a smartphone in behind a screen with lines of code]]></media:description>                                                            <media:text><![CDATA[The Internet Explorer icon as seen on a smartphone in behind a screen with lines of code]]></media:text>
                                <media:title type="plain"><![CDATA[The Internet Explorer icon as seen on a smartphone in behind a screen with lines of code]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZPkVWxWnnDoBi8poq2mSwJ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google's cyber security team has identified a zero-day exploit for an Internet Explorer vulnerability that was used to target users in South Korea.</p><p>The tech giant’s Threat Analysis Group (TAG) made the discovery in October 2022 and found malware embedded in documents that were emailed to targets. The hidden malware residing in the documents exploited a vulnerability in the browser's JScript engine, tracked as CVE-2022-41128. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/358834/microsoft-patches-actively-exploited-internet-explorer-flaw" data-original-url="/security/vulnerability/358834/microsoft-patches-actively-exploited-internet-explorer-flaw">Microsoft patches actively exploited Internet Explorer flaw</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/360887/microsoft-patch-tuesday-internet-explorer-zero-day" data-original-url="/security/vulnerability/360887/microsoft-patch-tuesday-internet-explorer-zero-day">Microsoft patches Internet Explorer zero-day under active attack</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/infrastructure/network-internet/356807/microsoft-to-end-internet-explorer-11-support-in-2021" data-original-url="/infrastructure/network-internet/356807/microsoft-to-end-internet-explorer-11-support-in-2021">Microsoft will stop supporting Internet Explorer in 2021</a></p></div></div><p>TAG attributed the attacks to APT37, a known threat group that is has attributed to North Korean state-sponsored hackers. It said that APT37 has used Internet Explorer zero-days in the past to target users, and tends to focus on those based in South Korea including journalists, human rights activists, and North Korean defectors. </p><p>The malware-laden document was titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, which Google said was attempting to take advantage of public interest in an accident, a Halloween crowd crush, that took place in South Korea in October.</p><p>Multiple submitters from South Korea flagged the <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> to Google's TAG by uploading this Microsoft Office document to VirusTotal, a website Google owns that analyses suspicious files, domains, or URLs.</p><p>Researchers found that the document downloaded a rich text file (RTF) remote template which then went on to fetch HTML content.</p><p>“Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199),” said TAG. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”</p><p>“The vulnerability resides within “jscript9.dll”, the <a href="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it" target="_blank" data-original-url="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it">JavaScript</a> engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website,” said TAG. “The bug itself is an incorrect JIT optimisation issue leading to a type confusion and is very similar to CVE-2021-34480, which was identified by Project Zero and patched in 2021.”</p><p>TAG informed Microsoft of the vulnerability on 31 October 2022, and it was then assigned the CVE-2022-41128 tracking code. Five days later, on 8 November 2022, the vulnerability was patched.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="46yJM6n4z5ACRWymGnGrKP" name="46yJM6n4z5ACRWymGnGrKP.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/46yJM6n4z5ACRWymGnGrKP.jpg" mos="https://cdn.mos.cms.futurecdn.net/46yJM6n4z5ACRWymGnGrKP.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Enhancing cyber security in an expanding landscape</strong></p><p class="fancy-box__body-text">How secure connections between wireless peripherals can help mitigate cyber incidents and empower employees</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/369671/enhancing-cyber-security-in-an-expanding-landscape" data-original-url="/security/cyber-security/369671/enhancing-cyber-security-in-an-expanding-landscape">FREE DOWNLOAD</a></p></div></div><p>Microsoft has fixed Internet Explorer bugs in the past that were previously exploited by North Korean hackers. The flaw, <a href="https://www.itpro.com/security/vulnerability/358834/microsoft-patches-actively-exploited-internet-explorer-flaw" target="_blank" data-original-url="https://www.itpro.com/security/vulnerability/358834/microsoft-patches-actively-exploited-internet-explorer-flaw">discovered in March 2021</a>, was used to target security researchers through a memory corruption vulnerability which enabled hackers to run malware on a victim’s PC. It did this by encouraging them to access a malicious website.</p><p>In September 2021, Microsoft also had to <a href="https://www.itpro.com/security/vulnerability/360887/microsoft-patch-tuesday-internet-explorer-zero-day" target="_blank" data-original-url="https://www.itpro.com/security/vulnerability/360887/microsoft-patch-tuesday-internet-explorer-zero-day">issue another fix</a> for a <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> embedded in the browser that powers legacy Internet Explorer. It was a remote code execution flaw embedded in the MSHTML browser engine which allowed hackers to create a malicious ActiveX control which was used by a Microsoft Office document hosting the engine. The attackers would then tempt victims into opening the document.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Unpatched Exchange servers could be behind Rackspace's ransomware attack, according to one researcher ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/369652/unpatched-exchange-servers-behind-rackspace-ransomware-attack</link>
                                                                            <description>
                            <![CDATA[ One security researcher suggested the company's Exchange server build log numbers were from August, months before ProxyNotShell patches were released ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bWvf3Avhq2YkL9J85nAf2h</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/RNoHhY5LgTvUN9qjGyYUVm-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 07 Dec 2022 13:04:36 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zach Marzouk ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ncLkbsDMZ6b76Lc5iS6mZh.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/RNoHhY5LgTvUN9qjGyYUVm-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A hand holding a smartphone with the Rackspace logo on it]]></media:description>                                                            <media:text><![CDATA[A hand holding a smartphone with the Rackspace logo on it]]></media:text>
                                <media:title type="plain"><![CDATA[A hand holding a smartphone with the Rackspace logo on it]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/RNoHhY5LgTvUN9qjGyYUVm-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Rackspace's recently confirmed ransomware attack allegedly may have been facilitated by hackers exploiting the company's out-of-date Exchange clusters, according to one researcher.</p><p>The cloud computing firm confirmed the attack on 6 December had affected its hosted Microsoft Exchange environment, the fallout from which is causing service disruptions for customers.</p><p>It was suggested by security researcher Kevin Beaumont that the cyber criminals were able to launch their attack after exploiting Exchange server clusters that didn't appear to have been patched since August 2022, before the patches for the <a href="https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday" target="_blank" data-original-url="https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday">ProxyNotShell</a> exploit were released.</p><p>In his <a href="https://doublepulsar.com/rackspace-cloud-office-suffers-security-breach-958e6c755d7f">analysis</a> Beaumont added that Exchange log build numbers aren’t always reliable, and the breach could have happened because of other issues.</p><p>Microsoft released the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045" target="_blank">patch</a> for the ProxyNotShell vulnerability at the start of November. It implemented fixes for two security issues that affect Microsoft Exchange Server 2013, 2016, and 2019. Attackers were able to escalate privileges to run <a href="https://www.itpro.com/operating-systems/microsoft-windows/356552/what-is-windows-powershell" target="_blank" data-original-url="https://www.itpro.com/operating-systems/microsoft-windows/356552/what-is-windows-powershell">PowerShell</a> and achieve arbitrary or remote code execution, enabling them to target server accounts. Attackers can then try to trigger malicious code.</p><p>“The Microsoft-supplied mitigations for ProxyNotShell are bypassable," said Beaumont. "IIS rewrite, which Microsoft used for mitigations, doesn’t decode all URLs correctly and as such can be bypassed for exploitation. If you relied on the PowerShell mitigation or EEMS application, your Exchange Server is still vulnerable - Microsoft just hasn't told you this clearly. The fix is to <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patch</a>."</p><p>He added that the exploits function without multi-factor <a href="https://www.itpro.com/security/29982/what-is-two-factor-authentication" target="_blank" data-original-url="https://www.itpro.com/security/29982/what-is-two-factor-authentication">authentication</a> as Exchange Server doesn’t support Modern Authentication, due to Microsoft deprioritising this implementation work.</p><p>“If you are an MSP running a shared cluster, such as hosted Exchange, it means that one compromised account on one customer will compromise the entire hosted cluster. This is high risk,” said Beaumont.</p><h2 id="scale-of-the-attack">Scale of the attack</h2><p>Rackspace believes the attack only affected its hosted Exchange business, and its other products and services are fully operational.</p><p>It’s committed to implementing additional <a href="https://www.itpro.com/security/cyber-security/368543/six-cyber-security-holes-you-need-to-plug-now" target="_blank" data-original-url="https://www.itpro.com/security/cyber-security/368543/six-cyber-security-holes-you-need-to-plug-now">security</a> measures and is monitoring its systems for any suspicious activity. It has also hired an incident response firm to investigate the matter, alongside its internal security team. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday" data-original-url="/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday">Microsoft still searching for zero-day fixes following Patch Tuesday</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/369263/third-microsoft-exchange-sever-zero-day-exploit-fix-bypassed" data-original-url="/security/zero-day-exploit/369263/third-microsoft-exchange-sever-zero-day-exploit-fix-bypassed">Microsoft's third mitigation update for Exchange Server zero-day exploit bypassed within hours</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/network-internet/mail-servers/368079/state-sponsored-hackers-delay-new-microsoft-exchange-server-four-years" data-original-url="/network-internet/mail-servers/368079/state-sponsored-hackers-delay-new-microsoft-exchange-server-four-years">State-sponsored hackers delay new Microsoft Exchange Server by four years</a></p></div></div><p>Rackspace is helping Hosted Exchange customers to migrate their data to a new environment as rapidly as it can, it said. It has increased the amount of support staff it has to help with this and is aiming to help customers through the migration process so that their own operations aren’t impacted as much. </p><p>“Although Rackspace Technology is in the early stages of assessing this incident, the incident has caused and may continue to cause an interruption in its Hosted Exchange business and may result in a loss of revenue for the hosted Exchange business, which generates approximately $30 million of annual revenue in the apps and cross-platform segment,” said the company. “In addition, Rackspace Technology may have incremental costs associated with its response to the incident.”</p><p>Thousands of companies across the world will feel the consequences of this attack, said Jordan Schroeder, managing CISO at Barrier Networks. He said that it will also underline the duty organisations that store or host business data have to also keep it secure.</p><p>“Rackspace also must re-evaluate its defences against <a href="https://www.itpro.com/security/ransomware/369506/ransomware-why-do-businesses-still-pay-up" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/369506/ransomware-why-do-businesses-still-pay-up">ransomware</a>, because when it comes to modern threats, prevention is always better than cure,” said Schroeder. “This involves re-establishing their cyber hygiene baseline, using <a href="https://www.itpro.com/security/network-security/358282/what-is-zero-trust" data-original-url="https://www.itpro.com/security/network-security/358282/what-is-zero-trust">zero trust</a> principles to limit the impact of breaches by protecting key accounts and preventing lateral movement, and training employees regularly on cybersecurity and the evolving threat landscape.”</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zxgJhZ9MYsxYh8heefErtH" name="zxgJhZ9MYsxYh8heefErtH.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/zxgJhZ9MYsxYh8heefErtH.png" mos="https://cdn.mos.cms.futurecdn.net/zxgJhZ9MYsxYh8heefErtH.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The long road ahead to ransomware preparedness</strong></p><p class="fancy-box__body-text">Getting to the bigger truth</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/369492/the-long-road-ahead-to-ransomware-preparedness" data-original-url="/security/ransomware/369492/the-long-road-ahead-to-ransomware-preparedness">FREE DOWNLOAD</a></p></div></div><p>The company first <a href="https://status.apps.rackspace.com/index/viewincidents?group=2" target="_blank">reported</a> that the incident began on 2 December, communicating that it was investigating an issue on its hosted Exchange environments.</p><p>Hours later, it told customers it was working through an issue with hosted Exchange accounts and that it had proactively shut down the environment to avoid further issues. It also gave customers access to Microsoft Exchange Plan 1 licences on Microsoft 365 as a temporary workaround.</p><p>The next day, Rackspace said the issue was a security incident that affected a portion of its hosted Exchange platform. On 4 December, the company said the incident was set to be an extended outage of the hosted Exchange.</p><p>It urged customers to move to <a href="https://www.itpro.com/business-operations/productivity/368062/10-best-features-of-microsoft-365-for-small-businesses" target="_blank" data-original-url="https://www.itpro.com/business-operations/productivity/368062/10-best-features-of-microsoft-365-for-small-businesses">Microsoft 365,</a> saying this was the best solution. Although it said that it had restored email services to thousands of customers on Microsoft 365, it said that it understood that self-migration wasn't simple and could be challenging to implement.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/spyware/369624/spanish-spyware-outfit-exploit-windows-chrome-firefox</link>
                                                                            <description>
                            <![CDATA[ Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cNidAx1jx2TnNJ31ENNGeK</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/AwcyAPjBPanucM4Cu3SfX8-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 01 Dec 2022 15:20:16 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Workspace]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                    <category><![CDATA[Google]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zach Marzouk ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ncLkbsDMZ6b76Lc5iS6mZh.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/AwcyAPjBPanucM4Cu3SfX8-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The beach front in Barcelona ]]></media:description>                                                            <media:text><![CDATA[The beach front in Barcelona ]]></media:text>
                                <media:title type="plain"><![CDATA[The beach front in Barcelona ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/AwcyAPjBPanucM4Cu3SfX8-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google has tied a previously unknown spyware operation to a private company in Spain after receiving an anonymous tip-off regarding the malicious activity.</p><p>Its Threat Analysis Group (TAG) said the evidence suggests that Barcelona-based Variston IT has developed an exploit framework which leveraged zero days in Windows Defender, Firefox, and Chrome.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app" data-original-url="/security/malware/359049/dangerous-android-spyware-disguising-itself-as-system-update-app">Android spyware disguised as 'system update' app discovered</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/368629/mysterious-macos-spyware-using-public-cloud-storage-control-server" data-original-url="/security/malware/368629/mysterious-macos-spyware-using-public-cloud-storage-control-server">Mysterious MacOS spyware discovered using public cloud storage as its control server</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials" data-original-url="/security/spyware/361760/nso-group-reportedly-hacked-multiple-us-officials">NSO Group reportedly hacked multiple US officials</a></p></div></div><p>Google said the operation tied to Variston IT had developed the Heliconia framework which itself was split into smaller frameworks that exploited different systems and applications, like Windows and Chrome. The product gives customers all the tools needed to deploy a payload to a target device.</p><p>The frameworks included mature source code that could deploy the exploits. The first was Heliconia Noise, a web framework used to deploy an exploit for a Chrome renderer bug, followed by a sandbox escape.</p><p>Heliconia Soft was a separate web framework that dropped a malicious PDF to exploit a vulnerability in Windows Defender. The third and final framework was called Files - it consisted of a set of exploits targeting Firefox versions on both Windows and Linux systems.</p><p>The three companies targeted in the exploit, Microsoft, Mozilla, and Google, fixed the vulnerabilities in 2021 and early 2022. Google said it hadn’t detected active exploitation of the now-patched vulnerabilities, but instead predicted that they were used as <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" target="_blank" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-days</a> in earlier attacks.</p><p>The tech giant only became aware of the Heliconia framework when it received an anonymous submission to its Chrome bug reporting programme.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zxgJhZ9MYsxYh8heefErtH" name="zxgJhZ9MYsxYh8heefErtH.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/zxgJhZ9MYsxYh8heefErtH.png" mos="https://cdn.mos.cms.futurecdn.net/zxgJhZ9MYsxYh8heefErtH.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The long road ahead to ransomware preparedness</strong></p><p class="fancy-box__body-text">Getting to the bigger truth</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/369492/the-long-road-ahead-to-ransomware-preparedness" data-original-url="/security/ransomware/369492/the-long-road-ahead-to-ransomware-preparedness">FREE DOWNLOAD</a></p></div></div><p>“The submitter filed three bugs, each with instructions and an archive that contained source code,” said Google TAG researchers in a blog post. “They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’, and ‘Files'.</p><p>"TAG analysed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible <a href="https://www.itpro.com/software/development/356827/how-to-become-a-developer-a-beginners-guide" target="_blank" data-original-url="https://www.itpro.com/software/development/356827/how-to-become-a-developer-a-beginners-guide">developer</a> of the exploitation frameworks, Variston IT.”</p><p>Heliconia Noise, for example, leaked the name of the company in a line of code that prevented the framework from generating binaries containing strings such as 'Variston'.</p><p>The same for loop in Heliconia Noise's code also leaked the aliases of the developers who worked on the project: majinbuu, janemba, and freezer - all references to characters in the Dragon Ball manga franchise.</p><p>Google said that commercial <a href="https://www.itpro.com/spyware/30001/what-is-spyware" target="_blank" data-original-url="https://www.itpro.com/spyware/30001/what-is-spyware">spyware</a> is used by governments to spy on journalists, human rights activists, and political opposition through its advanced surveillance abilities. The tech giant is aiming to disrupt the threat of these types of companies to protect users and raise awareness of the industry, it said.</p><p><em>IT Pro</em> has contacted Variston for comment. It appears to be registered at an address in Barcelona and was founded by Jayaraman Ramanan and Ralf Dieter Wegener in 2018, according to <a href="https://www.datoscif.es/empresa/variston-information-technology-sl" target="_blank"><em>Datos Cif</em></a>, a Spanish database containing information about companies. Deloitte is also named as its auditor.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google rolls out patch for high-severity Chrome browser zero day ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/369597/google-rolls-out-patch-for-high-severity-chrome-browser-zero-day</link>
                                                                            <description>
                            <![CDATA[ It's the eighth time this year Google has been forced to address a zero-day vulnerability in its world-leading browser ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">4aQ8cFBu8YnXUSrZ2kr9So</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/QCRhwsVhmvbdnfreEQHQfM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 25 Nov 2022 10:17:03 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/QCRhwsVhmvbdnfreEQHQfM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Google Chrome logo on a Chromebook]]></media:description>                                                            <media:text><![CDATA[Google Chrome logo on a Chromebook]]></media:text>
                                <media:title type="plain"><![CDATA[Google Chrome logo on a Chromebook]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/QCRhwsVhmvbdnfreEQHQfM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google has patched a zero-day vulnerability in its Chrome browser, the eighth of its kind this year. </p><p>The vulnerability was caused by a “heap buffer overflow in GPU”, Google said. Such vulnerabilities can allow attackers to modify the data stored in the application’s heap, potentially altering what data the Chrome Browser outputs.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="3DZhQDJwxTFW2pV3wWSxmJ" name="3DZhQDJwxTFW2pV3wWSxmJ.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/3DZhQDJwxTFW2pV3wWSxmJ.jpg" mos="https://cdn.mos.cms.futurecdn.net/3DZhQDJwxTFW2pV3wWSxmJ.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Solve cyber resilience challenges with storage solutions</strong></p><p class="fancy-box__body-text">Fundamental capabilities of cyber-resilient IT infrastructure</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/368460/solve-cyber-resilience-challenges-with-storage-solutions" data-original-url="/security/368460/solve-cyber-resilience-challenges-with-storage-solutions">FREE DOWNLOAD</a></p></div></div><p>The exploitation of buffer overflow flaws could also lead to general data corruption within the application, or the manipulation of the Chrome browser’s internal structures.</p><p>It has been assigned a severity rating of ‘high’ although a specific CVSSv3 score has not yet been released. </p><p>‘High’ severity ratings typically indicate a score in the range of 7.0-8.9 - the second-highest severity classification on the widely used metric.</p><p>Google assigned the vulnerability with a CVE for <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">vulnerability tracking and management</a> (CVE-2022-4135) and released the new stable channel version of Google Chrome on Thursday across Windows, macOS, and Linux.</p><p>Google <a href="https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html">said</a> it will be keeping more detailed information on the vulnerability under wraps until more users have had time to install the update.</p><p>It will also refrain from releasing further details if the Google Chrome team find the issue to be present in a third-party library on which other applications depend, for example, at least until that library also releases a fix.</p><p>The vulnerability was discovered by Clement Lecigne, security engineer at Google’s Threat Analysis Group - its security team primarily devoted to countering <a href="https://www.itpro.com/security/34794/what-threat-do-nation-state-hackers-pose-to-businesses" data-original-url="https://www.itpro.com/security/34794/what-threat-do-nation-state-hackers-pose-to-businesses">government-backed hacking</a> efforts - and Google made no indication that the vulnerability has been actively exploited in the wild.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/369038/cisa-warns-against-actively-exploited-chrome-and-d-link-security" data-original-url="/security/cyber-security/369038/cisa-warns-against-actively-exploited-chrome-and-d-link-security">CISA warns against actively exploited Chrome and D-Link security flaws</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/chromium/32681/what-is-chromium" data-original-url="/chromium/32681/what-is-chromium">What is Chromium?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/phishing/367794/google-chrome-branded-the-least-effective-browser-for-stopping-phishing" data-original-url="/security/phishing/367794/google-chrome-branded-the-least-effective-browser-for-stopping-phishing">Google Chrome branded the least effective browser for stopping phishing attacks</a></p></div></div><p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4135">CVE-2022-4135</a> marks the eighth <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> found in Google Chrome since the start of 2022 and the second zero-day caused by a heap buffer overflow.</p><p>Three of the eight zero-days affecting the world’s most popular browser have been caused by errors in Google’s proprietary and <a href="https://www.itpro.com/software/28109/what-is-open-source" data-original-url="https://www.itpro.com/software/28109/what-is-open-source">open-sourced</a> <a href="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it" data-original-url="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it">JavaScript</a> V8 engine. </p><p>Since other major browsers also run on <a href="https://www.itpro.com/chromium/32681/what-is-chromium" data-original-url="https://www.itpro.com/chromium/32681/what-is-chromium">Chromium</a>, such as <a href="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox" data-original-url="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox">Microsoft Edge</a>, Opera, Vivaldi, and others, these were also vulnerable because they too relied on Google’s V8 engine.</p><p>The full list of Google Chrome zero-day vulnerabilities found in 2022 can be found below:</p><ul><li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3723">CVE-2022-3723</a></li><li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3075">CVE-2022-3075</a></li><li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2856">CVE-2022-2856</a></li><li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2294">CVE-2022-2294</a></li><li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1364">CVE-2022-1364</a></li><li><a href="https://www.itpro.com/security/zero-day-exploit/367226/google-urgent-patch-chrome-zero-day" data-original-url="https://www.itpro.com/security/zero-day-exploit/367226/google-urgent-patch-chrome-zero-day">CVE-2022-1096</a></li><li><a href="https://www.itpro.com/security/vulnerability/362243/google-chrome-zero-day-under-active-exploitation" data-original-url="https://www.itpro.com/security/vulnerability/362243/google-chrome-zero-day-under-active-exploitation">CVE-2022-0609</a></li></ul>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Second-ever OpenSSL critical vulnerability teased, 10 years after Heartbleed ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/369419/second-ever-openssl-critical-vulnerability-teased-10-years-after-heartbleed</link>
                                                                            <description>
                            <![CDATA[ All OpenSSL versions beyond 3.0 are at risk, with more details due to be released alongside a patch on 1 November ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bm3pTLhyk4xUKjam8sSRc1</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/KAE3tGXMEcRfgDxLP9qFH4-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 28 Oct 2022 10:39:47 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/KAE3tGXMEcRfgDxLP9qFH4-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Bright blue code appearing on screen to denote hacking]]></media:description>                                                            <media:text><![CDATA[Bright blue code appearing on screen to denote hacking]]></media:text>
                                <media:title type="plain"><![CDATA[Bright blue code appearing on screen to denote hacking]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/KAE3tGXMEcRfgDxLP9qFH4-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The OpenSSL Project, which runs the widely-used OpenSSL library, has announced it will issue a critical vulnerability patch on 1 November. </p><p>The announcement marks the first OpenSSL critical vulnerability patch since 2016, and only the second in the project’s history. Full details of the flaw will be revealed at the time of the patch to reduce the possibility of attackers reverse engineering to develop an exploit.</p><p>However, it has already been stated that the vulnerability does not affect versions earlier than OpenSSL 3.0, with the patch forming part of the 3.07 release. This appears to mean that devices which run versions before 3.0, which was released in 2021, should remain unaffected by the vulnerability.</p><p>“Given the number of changes in 3.0 and the lack of any other context information, such scouring is very highly unlikely,” said Mark J Cox, former head of product security at Red Hat and one of the co-founders of OpenSSL, responding to a question in his original announcement <a href="http://twitter.com/iamamoose/status/1584908434855628800?t=phPCO2jxhUSsr_x334xuVA&s=19">tweet</a>.</p><p>While the 2016 flaw allowed for remote execution of code, it was only active for four days before being caught and patched. In contrast, the newly-announced vulnerability affects all versions after 3.0 which was released in September 2021.</p><p>OpenSSL is the most popular open source <a href="https://www.itpro.com/security/innovation-at-work/24460/what-is-data-encryption" data-original-url="https://www.itpro.com/security/innovation-at-work/24460/what-is-data-encryption">cryptography</a> library in the world and is used by the majority of <a href="https://www.itpro.com/network-internet/30416/http-vs-https-what-difference-does-it-make-to-security" data-original-url="https://www.itpro.com/network-internet/30416/http-vs-https-what-difference-does-it-make-to-security">HTTPS</a> websites as well as on a range of web servers. As such, a critical vulnerability within its code could represent a serious threat to a wide range of businesses, as well as to individual privacy online.</p><p>The OpenSSL Project <a href="https://www.openssl.org/policies/general/security-policy.html">policy</a> states that in the event of an upcoming patch to a flaw rated ‘critical’ in severity, a warning will be made publicly available to notify users of the exact date and rough time at which the patch will be made available.</p><p>Alongside this, select organisations will be given patches early, as well as briefings on the exact nature and seriousness of the flaw.</p><p>Some are already drawing comparisons between the upcoming announcement and 2014’s Heartbleed vulnerability, tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2014-0160">CVE-2014-0160</a>, which garnered widespread media attention and concern in 2014 as it allowed threat actors to view data on any website utilising OpenSSL.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="7482i6KDvixdNzMG9kSCyL" name="7482i6KDvixdNzMG9kSCyL.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/7482i6KDvixdNzMG9kSCyL.png" mos="https://cdn.mos.cms.futurecdn.net/7482i6KDvixdNzMG9kSCyL.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The financial services survival guide</strong></p><p class="fancy-box__body-text">How uncertainty and disruption is forcing financial services to innovate</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business-operations/finance/369314/the-financial-services-survival-guide" data-original-url="/business-operations/finance/369314/the-financial-services-survival-guide">FREE DOWNLOAD</a></p></div></div><p>It is also likely to add to <a href="https://www.itpro.com/development/open-source/369079/organisations-are-scaling-back-their-open-source-software-due-to" data-original-url="https://www.itpro.com/development/open-source/369079/organisations-are-scaling-back-their-open-source-software-due-to">growing fear of using open source</a> solutions amongst companies, especially in the wake of the damaging <a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">Log4Shell vulnerability</a>.</p><p>“The announcement of the new OpenSSL critical vulnerability immediately brought back not-so-fond memories of Heartbleed or - more recently - the Log4J vulnerability,” said Mattias Gees, container product lead at Venafi.</p><p>“Heartbleed had a significant impact on all operations teams worldwide, and since then IT infrastructure has become ten times more complicated. The attack vector has become a lot larger, and rather than just having to examine their <a href="https://www.itpro.com/612016/what-is-virtualisation" data-original-url="https://www.itpro.com/612016/what-is-virtualisation">VMs</a>, organisations need to start preparing to patch all their container images in response to this announcement.</p><p>“We also now know that OpenSSL versions prior to 3.0 are not impacted, and a lot of operating systems use OpenSSL 1.1, so these environments won’t be impacted. This knowledge will allow cybersecurity and operations teams to dismiss large sections of their infrastructure, and hopefully make the impact of this vulnerability smaller than initially expected. But platform engineering teams should keep investing in better auditing of their environments and their dependencies for the next threat, which is always just around the corner.”</p><h2 id="what-was-the-heartbleed-vulnerability">What was the Heartbleed vulnerability?</h2><p>In 2014, security researchers discovered a flaw within the OpenSSL software library, which could be exploited by threat actors in order to track the activity of targets online, as well as serruptiously steal data entered on web pages. At the time of identification, some researchers worried that <a href="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know" data-original-url="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know">Heartbleed</a> may have been exploited in the wild since 2012.</p><p>This was possible due to a coding error in the ‘heartbeat’ extension within OpenSSL, through which users could test transport layer security (TLS) encryption by sending data (typically a text string) and an integer representing the number of characters in the string to a computer or server device, which would then ‘echo’ the string back exactly.</p><p>As it was possible to send a string of a length equivalent to 64 KiB of data, that much memory was reserved for returns using the extension. However, it was discovered that if users only sent a nominal amount of data, but a length figure equal to 64KiB, the computer at the end would echo back the data sent, along with 64-1KiB of data from its memory buffer. This could reveal passwords entered, private server keys, sensitive user cookies — whatever happened to be in the memory at the time of the request.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">What is the Log4Shell vulnerability?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/development/open-source/369079/organisations-are-scaling-back-their-open-source-software-due-to" data-original-url="/development/open-source/369079/organisations-are-scaling-back-their-open-source-software-due-to">Organisations are scaling back their open source software due to security fears – Anaconda</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday" data-original-url="/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday">Microsoft still searching for zero-day fixes following Patch Tuesday</a></p></div></div><p>As a result, threat actors were unable to specify precisely what data they would expose through each attack, but through repeat executions were able to invisibly monitor activity on any website which used OpenSSL, and exfiltrate data without any possibility of detection.</p><p>Given the scale at which OpenSSL is used throughout the internet, from financial services to critical backend apps, the Heartbleed vulnerability prompted considerable alarm within the cyber security community. Although a fix was quickly released, the fact that attacks carried out using the vulnerability left no trace made it hard to say for certain just how far reaching its impact was, and whose data has been stolen. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple patches actively exploited iPhone, iPad zero-day and 18 other security flaws ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/369381/apple-patches-actively-exploited-iphone-ipad-zero-day-18-others</link>
                                                                            <description>
                            <![CDATA[ The out-of-bounds write error is the eighth actively exploited zero-day impacting Apple hardware this year and could facilitate kernel-level code execution ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">a1pSBAhC7jToGQWVcCXoBu</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Lf5tVNMLrtzubvq3F5AhRk-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 25 Oct 2022 10:33:46 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Lf5tVNMLrtzubvq3F5AhRk-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Apple logo on a glass storefront in Ireland]]></media:description>                                                            <media:text><![CDATA[The Apple logo on a glass storefront in Ireland]]></media:text>
                                <media:title type="plain"><![CDATA[The Apple logo on a glass storefront in Ireland]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Lf5tVNMLrtzubvq3F5AhRk-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has released an update providing a number of patches for iOS and iPadOS, including one zero-day that “may have been actively exploited".</p><p>Tracked as CVE-2022-42827, the zero-day vulnerability was the result of an out-of-bounds write error in the kernel, which could be used by threat actors to execute malicious code on the kernel level.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="moQ7m7Ygm4UQiwkmvgFG3m" name="moQ7m7Ygm4UQiwkmvgFG3m.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/moQ7m7Ygm4UQiwkmvgFG3m.png" mos="https://cdn.mos.cms.futurecdn.net/moQ7m7Ygm4UQiwkmvgFG3m.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>How to trust your inbox with Cloudflare Area 1</strong></p><p class="fancy-box__body-text">Why your current email security may not be enough</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/369345/how-to-trust-your-inbox-with-cloudflare-area-1" data-original-url="/security/369345/how-to-trust-your-inbox-with-cloudflare-area-1">FREE DOWNLOAD</a></p></div></div><p>This could allow for custom, potentially malicious programs to be run on the victim’s device, as well as putting all data on it at serious risk of exfiltration or destruction.</p><p>An out-of-bounds write error occurs when a program writes beyond the end of an intended buffer or specified array, and typically results in a crash or corruption of data. If exploited, they can be used to modify system data and execute code on impacted devices remotely.</p><p>In its <a href="https://support.apple.com/en-gb/HT201222">post</a> for the iOS 16.1 and iPadOS 16 security updates, Apple noted that through the flaw an “application may be able to execute arbitrary code with kernel privileges".</p><p>Beyond this, the firm offered little detail of the precise nature of the <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a>, in line with its policies on security issues and in accordance with its longstanding approach of providing little detail on security incidents.</p><p>“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” stated a notice in the update post.</p><p>Affected devices include all of its smartphones from iPhone 8 and above, all models of the <a href="https://www.itpro.com/hardware/tablets/361463/apple-ipad-pro-129in-2021-review-a-giant-leap-for-apple-silicon" data-original-url="https://www.itpro.com/hardware/tablets/361463/apple-ipad-pro-129in-2021-review-a-giant-leap-for-apple-silicon">iPad Pro</a>, iPad Air 3rd generation and above, and iPad and iPad Mini - both 5th generation and above.</p><p>Beyond the zero-day, the latest security update also provides patches for 18 other vulnerabilities. Of these, two more were in the kernel, though these are not thought to be actively exploited, while three were in WebKit, Apple’s browser engine which powers Safari.</p><p>Other flaws were fixed in the point-to-point protocol (PPP), a <a href="https://www.itpro.com/network-internet/internet-protocol-version-6-ipv6/360855/what-is-tcpip" data-original-url="https://www.itpro.com/network-internet/internet-protocol-version-6-ipv6/360855/what-is-tcpip">TCP/IP</a> protocol used to send data between devices, as well as in core Bluetooth and the GPU drivers.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/369044/the-iphone-security-features-that-come-with-ios-16" data-original-url="/security/369044/the-iphone-security-features-that-come-with-ios-16">A breakdown of iOS 16's security features</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs" data-original-url="/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs">Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday" data-original-url="/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday">Microsoft still searching for zero-day fixes following Patch Tuesday</a></p></div></div><p>The patch marks the ninth overall update addressing a zero-day flaw by Apple this year. In September, the tech giant <a href="https://www.itpro.com/security/zero-day-exploit/369052/apple-patches-yet-another-zero-day-flaw-in-substantial-security-update" data-original-url="https://www.itpro.com/security/zero-day-exploit/369052/apple-patches-yet-another-zero-day-flaw-in-substantial-security-update">patched a similar kernel vulnerability</a>, which allowed for arbitrary code to be executed with kernel privileges. This vulnerability also affected macOS Monterey, and had been potentially exploited in the wild by the time it was patched.</p><p>In August, Apple patched a <a href="https://www.itpro.com/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs" data-original-url="https://www.itpro.com/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs">'superpower' zero-day affecting WebKit</a>, in which threat actors could use remote code execution (RCE) to alter web pages, which would then run malicious code on Apple devices that visited them.</p><p>More recently, earlier this month Apple was forced to release a fix for a denial of service vulnerability, tracked as CVE-2022-22658, affecting iPhones 8 and newer.</p><p>Apple said that processing a maliciously crafted message could lead to denial of service and was fixed in its iOS 16.0.3 by improving input validation.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Fortinet reiterates call to mitigate against active zero-day, as customers delay fixes ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/369336/fortinet-call-to-mitigate-against-active-zero-day-customers-delay-patches</link>
                                                                            <description>
                            <![CDATA[ A large number of customers have yet to apply mitigations necessary to avoid the critical vulnerability ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9RdGZ55UybYuRFKADTSuWz</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/EbCCK9B4A8MjWT59KzrtnU-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 18 Oct 2022 15:50:54 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/EbCCK9B4A8MjWT59KzrtnU-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Fortinet logo on a phone, with blue binary code in the background]]></media:description>                                                            <media:text><![CDATA[The Fortinet logo on a phone, with blue binary code in the background]]></media:text>
                                <media:title type="plain"><![CDATA[The Fortinet logo on a phone, with blue binary code in the background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/EbCCK9B4A8MjWT59KzrtnU-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Fortinet has issued an urgent warning to customers advising once again to update devices against a zero-day vulnerability that has been exploited at least once in the wild.</p><p>FortiOS, FortiProxy, and FortiSwitchManager are all affected by the <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a>, an authentication bypass flaw which allows threat actors to run operations on a device’s administrative interface. Tracked as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684">CVE-2022-40684</a>, the vulnerability carries a CVSS score of 9.6, and is therefore considered critical.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="nAkAthFBggqpbeuovZyehc" name="nAkAthFBggqpbeuovZyehc.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/nAkAthFBggqpbeuovZyehc.png" mos="https://cdn.mos.cms.futurecdn.net/nAkAthFBggqpbeuovZyehc.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Facilitating Fintech</strong></p><p class="fancy-box__body-text">Reducing the risk of potential data interception among fintech solutions</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/369240/facilitating-fintech" data-original-url="/security/369240/facilitating-fintech">FREE DOWNLOAD</a></p></div></div><p>Before going public with the zero-day on October 10, Fortinet privately contacted the owners of potentially affected devices on October 6, with a list of recommended mitigations. However, the company has said that, at the time of writing, many devices have still not been updated or had <a href="https://www.fortiguard.com/psirt/FG-IR-22-377">mitigations</a> applied, leaving a large number of customers at risk of cyber attacks and opening networks to threats such as <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a>, <a href="https://www.itpro.com/security/29241/what-are-the-different-types-of-ransomware" data-original-url="https://www.itpro.com/security/29241/what-are-the-different-types-of-ransomware">ransomware</a>, and <a href="https://www.itpro.com/security/28810/how-to-react-to-a-data-breach" data-original-url="https://www.itpro.com/security/28810/how-to-react-to-a-data-breach">data breaches</a>.</p><p>FortiProxy OS versions 7.0.0 to 7.2.1 are affected by the flaw, along with FortiProxy versions 7.0.0 to 7.2.0, and FortiSwitchManager 7.0.0 and 7.2.0. In response, the company has released a number of updates, as well as <a href="https://www.fortiguard.com/psirt/FG-IR-22-377">manual workarounds</a> for the three affected services.</p><p>“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability,” reads Fortinet’s <a href="https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684">blog post</a> on the update.</p><p>“Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory.”</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/5g/368870/nec-and-fortinet-partner-to-deliver-high-performance-security-5g-networks" data-original-url="/mobile/5g/368870/nec-and-fortinet-partner-to-deliver-high-performance-security-5g-networks">NEC and Fortinet partner to deliver high-performance security for 5G networks</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday" data-original-url="/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday">Microsoft still searching for zero-day fixes following Patch Tuesday</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/endpoint-security/34536/mastering-endpoint-security-implementation" data-original-url="/endpoint-security/34536/mastering-endpoint-security-implementation">Mastering endpoint security implementation</a></p></div></div><p>The exploit has now been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">‘known vulnerabilities’ catalogue</a>, which is <a href="https://www.itpro.com/security/cyber-security/367816/cisa-adds-41-vulnerabilities-to-catalog-of-exploited-bugs" data-original-url="https://www.itpro.com/security/cyber-security/367816/cisa-adds-41-vulnerabilities-to-catalog-of-exploited-bugs">regularly updated</a> with threats that the agency considers an active threat to federal operations. As a result of being added to the list, federal agencies have until November 1 to patch all Fortinet equipment and apply appropriate mitigations.</p><p>“This is a critical vulnerability,” stated Avishai Avivi, CISO at SafeBreach.</p><p>“It basically allows the malicious actor to take control of the organisation’s firewall. We join Fortinet in their recommendation. With this being a zero-day vulnerability, we also strongly recommend that organisations take steps to validate their firewall configuration.</p><p>"If an attacker manages to take control of the <a href="https://www.itpro.com/security/firewalls/368739/fortinet-unveils-fastest-compact-firewall-for-hyperscale-data-centers-and" data-original-url="https://www.itpro.com/security/firewalls/368739/fortinet-unveils-fastest-compact-firewall-for-hyperscale-data-centers-and">firewall</a>, they can modify the firewall configuration to remove protection, add potential vectors for the attacker to use, and even add users. This is also an important reminder that companies should always keep a <a href="https://www.itpro.com/backup/29847/best-free-backup-software" data-original-url="https://www.itpro.com/backup/29847/best-free-backup-software">backup</a> copy of their firewall configuration files.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft still searching for zero-day fixes following Patch Tuesday ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/369296/microsoft-still-searches-for-zero-day-fixes-following-patch-tuesday</link>
                                                                            <description>
                            <![CDATA[ ProxyNotShell remains unaddressed even as Microsoft fixes several critical flaws in its monthly package of security patches ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">3up5cTmNTWxCdnA1dy2X4V</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/xQfg5Vc7YXULHE5hc4CvHi-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 12 Oct 2022 11:20:15 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rory Bathgate ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DnNrFxEA7RRECVgFxXR4V7.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/xQfg5Vc7YXULHE5hc4CvHi-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Win 11 on a smartphone in front of code on a monitor]]></media:description>                                                            <media:text><![CDATA[Win 11 on a smartphone in front of code on a monitor]]></media:text>
                                <media:title type="plain"><![CDATA[Win 11 on a smartphone in front of code on a monitor]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/xQfg5Vc7YXULHE5hc4CvHi-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has released patches for 96 different vulnerabilities in its monthly Patch Tuesday, but has still failed to address the zero-days dubbed ‘ProxyNotShell’, leaving Exchange Servers at potential risk as the company searches for a solution.</p><p>Discovered last month, the pair of zero-day vulnerabilities that comprise ProxyNotShell consists of a server-side request forgery (SSRF) flaw and a remote code execution (RCE) bug that affects Microsoft Exchange versions 2013, 2016, and 2019.</p><p>There is evidence threat actors have already used the pair to install the China Chopper <a href="https://www.itpro.com/security/hacking/358603/microsoft-is-concerned-with-escalating-web-shell-attacks" data-original-url="https://www.itpro.com/security/hacking/358603/microsoft-is-concerned-with-escalating-web-shell-attacks">web shell</a> on Exchange servers in the wild and Microsoft's attempts to mitigate the attacks have been shrouded in confusion.</p><p>Exchange Server customers are still waiting for a full patch to fix the widely discussed exploit, beyond manual mitigations already supplied publicly. Experts told <em>IT Pro </em>that customers may begin to question why a patch has taken so long for such a ubiquitous product.</p><p>“With products as complex as Microsoft Exchange, one can empathise with how long it is taking to develop - but that is the cost of doing business and when so many organisations rely on your products for their day-to-day operations, security patches in particular need to be prioritised so that customers are not left vulnerable," said Javvad Malik, lead security awareness advocate at KnowBe4.</p><p>Microsoft may also be pursuing fixes for an additional <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> that has supposedly led to a wave of recent LockBit ransomware attacks on Exchange Server customers.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business/business-strategy/369294/meta-deepens-metaverse-partnership-with-microsoft-and-accenture" data-original-url="/business/business-strategy/369294/meta-deepens-metaverse-partnership-with-microsoft-and-accenture">Meta deepens metaverse partnership with Microsoft and Accenture, still lacks compelling business case</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/operating-systems/microsoft-windows/361465/windows-11-problems-and-how-to-fix-them" data-original-url="/operating-systems/microsoft-windows/361465/windows-11-problems-and-how-to-fix-them">Most common Windows 11 problems and how to fix them</a></p></div></div><p>Discovered by cyber security researchers at South Korean firm AhnLab, the company's report indicated that attacks have been observed using web shells to perform privilege escalation and exfiltrate terabytes of data.</p><p>Other security researchers have expressed doubt over the lack of evidence used to reinforce claims in the AhnLab report, which is at the time of writing returning a 404 error indicating that it may have been taken down by the researchers following criticism.</p><p>“There's a lot going on in this report about <a href="https://www.itpro.com/security/ransomware/368868/lockbit-ransomware-more-aggressive-ddos-attack" data-original-url="https://www.itpro.com/security/ransomware/368868/lockbit-ransomware-more-aggressive-ddos-attack">LockBit ransomware</a>, and I'm not convinced it's a zero-day (there's no evidence in report), but one to keep an eye on," said researcher Kevin Beaumont in a <a href="https://twitter.com/GossiTheDog/status/1579799118779514882?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1579799118779514882%7Ctwgr%5E91516dc744593cdf44b6510c64c60c8526834e5d%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F136968%2Fcyber-crime%2Fmicrosoft-exchange-lockbit-ransomware.html">tweet</a>.</p><p>Microsoft has not yet publicly confirmed the vulnerability highlighted in the AhnLab report to be a legitimate zero-day.</p><h2 id="patch-tuesday-brings-critical-fixes">Patch Tuesday brings critical fixes</h2><p>In total, Microsoft patched 96 vulnerabilities this week, notably including two zero-day vulnerabilities. Tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033">CVE-2022-41033</a> and <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043">CVE-2022-41043</a>, these vulnerabilities pertain to the Windows COM+ Event System Service and Microsoft Office respectively.</p><p>Of the two, only CVE-2022-41043 has been actively exploited in the wild, which if successfully executed, can expose “user tokens and other potentially sensitive information” to threat actors. Despite no active exploitation being observed, experts have said that CVE-2022-41033 "should be at the top of everyone's list to quickly patch". </p><p>"This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit," said Kev Breen, director of cyber threat research at Immersive Labs to <em>IT Pro</em>. </p><p>"Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network."</p><p>Additionally, 13 critical vulnerabilities have been fixed in the patch. This includes <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968">CVE-2022-37968</a>, carrying the highest possible value on the CVSSv3.1 severity scale with a score of 10, which could be used to wrest administrative control over <a href="https://www.itpro.com/cloud/amazon-web-services-aws/366973/microsoft-azure-leads-aws-in-cloud-market" data-original-url="https://www.itpro.com/cloud/amazon-web-services-aws/366973/microsoft-azure-leads-aws-in-cloud-market">Azure</a> Arc-enabled <a href="https://www.itpro.com/enterprise-applications/31654/what-is-kubernetes" data-original-url="https://www.itpro.com/enterprise-applications/31654/what-is-kubernetes">Kubernetes</a> clusters.</p><p>"CVE-2022-37968, [a] connect elevation of privilege vulnerability, has a rare CVSS score of 10, said Mike Walters, VP of vulnerability and threat research at Action1.</p><p>"Successful exploitation of this vulnerability allows an unauthenticated user to elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster. If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11, and they are available from the internet, upgrade immediately."</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="pFJcpVRGtzBivW3SJxEQa6" name="pFJcpVRGtzBivW3SJxEQa6.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/pFJcpVRGtzBivW3SJxEQa6.png" mos="https://cdn.mos.cms.futurecdn.net/pFJcpVRGtzBivW3SJxEQa6.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Cyber security in manufacturing</strong></p><p class="fancy-box__body-text">The increasing cost of cyber crime means manufacturers need to adapt</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/369195/cyber-security-in-manufacturing" data-original-url="/security/cyber-security/369195/cyber-security-in-manufacturing">FREE DOWNLOAD</a></p></div></div><p>Additionally, the patch covers a critical flaw in SharePoint servers that allowed for RCE (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41038">CVE-2022-41038</a>), one in Windows CryptoAPI (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34689">CVE-2022-34689</a>) that opened the possibility for identity spoofing and code signing, and seven critical vulnerabilities in the Windows point-to-point tunnelling protocol used for public <a href="https://www.itpro.com/security/27098/best-vpn-services" data-original-url="https://www.itpro.com/security/27098/best-vpn-services">virtual private network (VPN)</a> tunnels.</p><p>The remaining 72 patches, one ranked as ‘moderate’ and the rest as ‘important’, cover a range of flaws including those found in Chromium <a href="https://www.itpro.com/software/28109/what-is-open-source" data-original-url="https://www.itpro.com/software/28109/what-is-open-source">Open Source</a>, which powers <a href="https://www.itpro.com/web-browsers/24526/what-is-microsoft-edge" data-original-url="https://www.itpro.com/web-browsers/24526/what-is-microsoft-edge">Microsoft Edge</a>, as well as elevation privilege vulnerabilities in Windows Kernel, a number of information disclosure vulnerabilities, and several denial of service vulnerabilities across several services.</p><p>All patches for the vulnerabilities in this October's Patch Tuesday updates are available to download through Microsoft's Update Catalog. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft's third mitigation update for Exchange Server zero-day exploit bypassed within hours ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/369263/third-microsoft-exchange-sever-zero-day-exploit-fix-bypassed</link>
                                                                            <description>
                            <![CDATA[ The string of problematic temporary fixes for ‘ProxyNotShell’ grows longer after a 'confusing' and 'atypical' week-long vulnerability disclosure process ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">wF34t9fUuePkUJ3s6ghcPN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/MqXqgMPrgtoQ4t3ToK6JDQ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 07 Oct 2022 09:35:44 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/MqXqgMPrgtoQ4t3ToK6JDQ-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Microsoft Exchange logo displayed on a laptop]]></media:description>                                                            <media:text><![CDATA[Microsoft Exchange logo displayed on a laptop]]></media:text>
                                <media:title type="plain"><![CDATA[Microsoft Exchange logo displayed on a laptop]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/MqXqgMPrgtoQ4t3ToK6JDQ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has published its third update for its mitigation of an exploit abusing two zero-day vulnerabilities in Microsoft Exchange Server, known as ProxyNotShell.</p><p>It marks the latest step towards providing a fix for the issue, which chains the two vulnerabilities together to execute the attack.</p><p>Security researcher Kevin Beaumont highlighted on Friday that there is already a bypass for the Microsoft-provided mitigation. It means every one of the company's attempts to prevent the exploit from harming customers has been circumvented within hours of publication.</p><p>The issue is in the way Microsoft's signatures detect the exploit. Signatures monitor the w3wp.exe <a href="https://www.itpro.com/security/cyber-attacks/368652/microsoft-warns-hackers-turning-to-iis-exploits-to-create-backdoors" data-original-url="https://www.itpro.com/security/cyber-attacks/368652/microsoft-warns-hackers-turning-to-iis-exploits-to-create-backdoors">internet information services (IIS) module</a> but for customers of Windows Server 2016 and above, w3wp.exe is excluded automatically by Exchange Server when IIS is installed.</p><p>"The only way to correct this is to turn off automatic exclusions," he <a href="https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9">said</a>, but Microsoft states explicitly in its documentation to not do this.</p><p>The original vulnerability disclosure for the ProxyNotShell exploit was atypical in nature and the information regarding potential fixes has been fragmented and confusing to follow for many. </p><p>Discovered last week by security researchers at Vietnam-based company GTSC, the pair of zero-days has received a number of attempted fixes - the first of which was bypassed “easily”.</p><p>GTSC said in its report that it had noticed in-the-wild exploitation of both vulnerabilities for at least a month before publishing its findings.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="pFJcpVRGtzBivW3SJxEQa6" name="pFJcpVRGtzBivW3SJxEQa6.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/pFJcpVRGtzBivW3SJxEQa6.png" mos="https://cdn.mos.cms.futurecdn.net/pFJcpVRGtzBivW3SJxEQa6.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Cyber security in manufacturing</strong></p><p class="fancy-box__body-text">The increasing cost of cyber crime means manufacturers need to adapt</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/369195/cyber-security-in-manufacturing" data-original-url="/security/cyber-security/369195/cyber-security-in-manufacturing">FREE DOWNLOAD</a></p></div></div><p>The security issues are related to, but different from, the <a href="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities" data-original-url="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities">ProxyShell exploit</a> which was developed in 2021 and are not protected by the patch Microsoft provided for ProxyShell that year. </p><p>Tracked as CVE-2022-41040 and CVE-2022-41082, they each received a CVSSv3 severity score of 8.8/10. Microsoft Exchange versions 2013, 2016, and 2019 are affected.</p><p>Exploitation requires access to an authenticated user account but initial <a href="https://twitter.com/GossiTheDog/status/1575764109534326784">tests</a> indicated that any email user’s account, regardless of the level of privileges they had, could be used to launch an attack. </p><p>Microsoft Exchange Server customers are advised to monitor the <a href="http://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server">official mitigation page</a> and apply new ones as they become available in order to protect against exploitation. There is currently no available patch.</p><p>Exploitation has been linked to China by cyber security company Volexity, which first discovered the <a href="https://www.itpro.com/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021" data-original-url="https://www.itpro.com/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021">ProxyLogon exploit</a> last year.</p><p>It publicly tied “at least some of” the exploitation of both zero-days to a known Chinese threat actor that’s been active in Asia for the past 12 months.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1577702915602538497"></a></p></blockquote><div class="see-more__filter"></div></div><p>Support for the link with China was also found in GTSC’s original report which detailed the use of China Chopper web shells in successful attacks - a tool known for being used by Chinese threat actors.</p><h2 id="explaining-the-confusing-vulnerability-disclosure-and-mitigation-releases">Explaining the ‘confusing’ vulnerability disclosure and mitigation releases</h2><p>GTSC originally published its <a href="https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html">report</a> on the two vulnerabilities last week but its claims that the flaws were legitimate zero-days were contested by prominent members of the cyber security community.</p><p>Details of the two-part exploit process were included in the company’s blog post but the first stage which described a similar format to the exploitation of ProxyShell was criticised by one security researcher who said the exploit looked too similar to ProxyShell’s to be considered a new method.</p><p>Matters weren’t helped by GTSC not working with Microsoft before publishing its findings, either.</p><p>In an atypical move, the Vietnam-based security firm instead went to the Zero Day Initiative (ZDI) which accepted the two vulnerabilities as zero-days.</p><p>The company said it hoped ZDI would work with Microsoft on a mitigation. It’s unusual for security researchers to publish details of zero-day vulnerabilities without alerting the affected vendor. </p><p>GTSC omitted many of the technical details from its report, reducing the risk of hackers developing exploits using information in it, and likely published ahead of informing Microsoft due to the risk it posed to the global threat landscape.</p><p>Days after GTSC’s original publication, Microsoft triaged the two vulnerabilities and issued CVE tracking codes for them both, confirming they were indeed <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a>.</p><p>Zero-day vulnerabilities are security flaws in software, firmware, or hardware that are unknown to the party responsible for maintaining the affected product.</p><p>Microsoft Exchange Server was the impacted product but because Microsoft was not aware of the issues that were being actively exploited, and the fact the vulnerabiltities were eventually proved to be novel, both CVE-2022–41040 and CVE-2022–41082 were classified as zero-days.</p><p>In the days after issuing the CVEs, Microsoft released a number of mitigations for the exploit and the security community developed bypasses on numerous occasions. </p><p>Microsoft also originally said that Exchange Online customers did not need to take any action, a message later disputed as false since Exchange hybrid servers were still vulnerable.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1578267337987444736"></a></p></blockquote><div class="see-more__filter"></div></div><p>The information surrounding the disclosure and potential fixes for the ‘ProxyNotShell’ exploit has been disseminated over a number of days and through fragmented sources. </p><p>Microsoft’s official blog has served as the central point of information but mitigation bypasses and other useful information have been sourced from various figures from the cyber security community across the internet. </p><h2 id="additional-mitigation-details">Additional mitigation details</h2><p>Microsoft’s latest update ‘further improves’ its mitigation strategy, first released on 30 September, which involves implementing URL rewrite rules. </p><p>The company originally instructed vulnerable customers to block ports used for Remote PowerShell to stop attackers from triggering remote code execution (RCE) through CVE-2022-41082. </p><p>This advice was later removed as a result of the community highlighting that PowerShell is available directly via Exchange and doesn’t require any other ports. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/368652/microsoft-warns-hackers-turning-to-iis-exploits-to-create-backdoors" data-original-url="/security/cyber-attacks/368652/microsoft-warns-hackers-turning-to-iis-exploits-to-create-backdoors">Microsoft warns hackers turning to IIS exploits to create backdoors in businesses</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities" data-original-url="/security/exploits/360411/top-30-most-exploited-vulnerabilities">The most exploited cyber security vulnerabilities</a></p></div></div><p>There are also a number of caveats to the provided mitigations that customers and system admins should take into account when locking down their service.</p><p>One of the updated mitigations supplied on Tuesday referenced an earlier Exchange Emergency Mitigation Service (EEMS) rule it released on 30 September.</p><p>Microsoft said this was automatically applied but others <a href="https://twitter.com/GossiTheDog/status/1577538025747267585">suggested</a> that the EEMS rule was only automatically applied if the customer was on the latest Exchange cumulative update, which many aren’t according to scans.</p><p>Microsoft’s URL rewrite mitigation was delivered using the EEMS rule and an Exchange On-premises Mitigation Tool v2 (EOMTv2) that it made available. Some users also chose to manually apply the mitigation.</p><p>A bypass was made public for both EEMS and EOMTv2 methods on Wednesday, with the wider security community sharing their own manual rules to help block incoming attacks.</p><p>Microsoft issued an update to its mitigation on Thursday. Those who manually applied the mitigation are advised to update it and those who used the EEMS and EOMTv2 methods must redownload and rerun the script.</p><p>Admins who also follow Microsoft’s own advice to exclude the w3wp.exe <a href="https://www.itpro.com/security/cyber-attacks/368652/microsoft-warns-hackers-turning-to-iis-exploits-to-create-backdoors" data-original-url="https://www.itpro.com/security/cyber-attacks/368652/microsoft-warns-hackers-turning-to-iis-exploits-to-create-backdoors">internet information services (IIS) module</a> from <a href="https://www.itpro.com/malware/28153/whats-the-difference-between-antimalware-and-antivirus" data-original-url="https://www.itpro.com/malware/28153/whats-the-difference-between-antimalware-and-antivirus">antivirus</a> detections should understand that the new rules and signatures do not work when w3wp.exe is excluded, <a href="https://twitter.com/GossiTheDog/status/1577980813081284609/photo/1">according to one researcher</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple patches yet another zero-day flaw in substantial security update ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/369052/apple-patches-yet-another-zero-day-flaw-in-substantial-security-update</link>
                                                                            <description>
                            <![CDATA[ The updates include fixes for kernel-level code execution bugs, privacy issues, and more - all impacting iPhone and iPad users ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">u4KuSXEJyRnZud7aZL5gYj</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/raptXeFJG42Atf6CVdiw6Z-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 13 Sep 2022 10:00:43 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/raptXeFJG42Atf6CVdiw6Z-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[apple iPhone 14 pro in a line up at Apple&amp;#039;s launch showcase in Cupertino, California]]></media:description>                                                            <media:text><![CDATA[apple iPhone 14 pro in a line up at Apple&amp;#039;s launch showcase in Cupertino, California]]></media:text>
                                <media:title type="plain"><![CDATA[apple iPhone 14 pro in a line up at Apple&amp;#039;s launch showcase in Cupertino, California]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/raptXeFJG42Atf6CVdiw6Z-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has released a large package of security fixes for various bugs in iOS and iPadOS including four code-execution flaws and one serious zero-day.</p><p>The most significant of the 11 total security issues was the zero-day vulnerability that allowed hackers to potentially execute arbitrary code with kernel privileges - the most serious kind.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs" data-original-url="/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs">Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/369044/the-iphone-security-features-that-come-with-ios-16" data-original-url="/security/369044/the-iphone-security-features-that-come-with-ios-16">A breakdown of iOS 16's security features</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hardware/368998/apples-iphone-14-launch-is-a-mini-disappointment" data-original-url="/hardware/368998/apples-iphone-14-launch-is-a-mini-disappointment">Apple’s iPhone 14 launch is a mini disappointment</a></p></div></div><p>Apple said it is aware of a report that the issue may have been actively exploited in the wild. A <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> is characterised as a security flaw that was previously unknown to the affected vendor but not patched.</p><p>Tracked as CVE-2022-32917, the vulnerability was one of the four code-execution bugs patched in the update and the eighth zero-day Apple has patched this year. </p><p>It was not the only other bug that could be exploited with kernel privileges, though. The other is tracked as CVE-2022-32911 but unlike the first, this is not believed to be under active exploitation.</p><p>The other two were found in WebKit, Apple’s proprietary browser engine that’s used to power its Safari app, as well as all the in-app browsers found in apps allowed on Apple’s App Store.</p><p>They both may have allowed arbitrary code execution if a user accessed a maliciously crafted web page, but neither is thought to be under active exploitation either.</p><p>All of the security fixes apply to version 15.7 of each operating system (OS) which is the most recent version for iPads and the second most recent version for iPhones after iOS 16 was launched on Monday.</p><p>Affected devices are the same for all vulnerabilities in the list. These include all officially supported iPhones (iPhone 6s and newer), all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation).</p><p>Also included in the package of patches were fixes for three separate privacy issues. The first of these impacted the affected devices’ Contacts app and Apple’s nondescript explanation of the issue offered very little other than: “an app may be able to bypass privacy preferences”.</p><p>Apple’s security advisories are famously brief in their explanation of each vulnerability and the potential capability of a method to exploit it. It’s unclear how another app could impact the privacy preferences of the contacts app.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="rNAQoa9nwMcMG72HQokQfh" name="rNAQoa9nwMcMG72HQokQfh.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/rNAQoa9nwMcMG72HQokQfh.jpg" mos="https://cdn.mos.cms.futurecdn.net/rNAQoa9nwMcMG72HQokQfh.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Storage's role in addressing the challenges of ensuring cyber resilience</strong></p><p class="fancy-box__body-text">Understanding the role of data storage in cyber resiliency</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/368461/storages-role-in-addressing-the-challenges-of-ensuring-cyber" data-original-url="/security/cyber-attacks/368461/storages-role-in-addressing-the-challenges-of-ensuring-cyber">FREE DOWNLOAD</a></p></div></div><p>“For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” it said in the <a href="https://support.apple.com/en-gb/HT213258">update’s notes</a>.</p><p>Apple’s Maps app also suffered a privacy issue whereby another app installed on an affected device may have been able to read “sensitive location information”.</p><p>Apple was equally as vague as to the finer details of this vulnerability, too, as it was with the third privacy flaw found in Safari’s web extensions. </p><p>Exploiting this vulnerability would potentially allow websites to track users through browser extensions in Apple’s Safari app. </p><p>Apple did not specify if this vulnerability would also circumvent its built-in <a href="https://www.itpro.com/security/privacy/359467/just-13-of-ios-users-opt-into-being-tracked-by-third-party-apps" data-original-url="https://www.itpro.com/security/privacy/359467/just-13-of-ios-users-opt-into-being-tracked-by-third-party-apps">App Tracking Transparency functionality</a> introduced in iOS 14 or if websites could track users if they enabled the hiding of their <a href="https://www.itpro.com/network-internet/internet-protocol-version-6-ipv6/360855/what-is-tcpip" data-original-url="https://www.itpro.com/network-internet/internet-protocol-version-6-ipv6/360855/what-is-tcpip">IP address</a> in the device’s settings.</p><p>Elsewhere, vulnerabilities potentially allowing photos to be accessed from the lock screen through the exploitation of Shortcuts, address bar spoofing in Safari, and privilege escalation flaws in MediaLibrary were also fixed.</p><p>Apple’s security updates rarely deliver this many fixes in one release but the update is potentially more impactful for iPad owners. </p><p>The security updates must be applied to Apple’s tablets but the vulnerabilities no longer affect the latest version of iOS, so if users updated to iOS 16 on Monday, then the fixes would automatically be ported over with the newer OS.</p><p>The latest iOS update brought with it several <a href="https://www.itpro.com/security/369044/the-iphone-security-features-that-come-with-ios-16" data-original-url="https://www.itpro.com/security/369044/the-iphone-security-features-that-come-with-ios-16">new security features for iPhone users</a> and one of the most notable was the decoupled security updates.</p><p>Users would typically have had to wait for full iOS updates to receive new <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">security patches</a> but Apple is now releasing updates for its OS and security flaws separately so fixes can be applied more quickly.</p><p>The same security features will also be coming to iPad users when its iPadOS is eventually rolled out. </p><p>Apple has confirmed that the OS has been delayed by a month, although it is usually released at the same time as iOS.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google’s Project Zero is frightening and reassuring in equal measure ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/369008/googles-project-zero-is-frightening-and-reassuring-in-equal-measure</link>
                                                                            <description>
                            <![CDATA[ This crack team of security researchers are doing work we should all be grateful for ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">3yjBHxTbwGUoiAaQsivt43</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pXCbVvNzHjKfG3wFAC6vS9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Sat, 10 Sep 2022 07:00:13 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Crime]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Davey Winder ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/qKL6BZiS7oo9Hmyy2yd3WJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pXCbVvNzHjKfG3wFAC6vS9-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Female IT programmer working on a desktop computer in data centre]]></media:description>                                                            <media:text><![CDATA[Female IT programmer working on a desktop computer in data centre]]></media:text>
                                <media:title type="plain"><![CDATA[Female IT programmer working on a desktop computer in data centre]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pXCbVvNzHjKfG3wFAC6vS9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The search giant has long since been just a search giant, but one area in which Google excels is in threat discovery. Project Zero is a team of security researchers. If Marks and Spencer did <a href="https://www.itpro.com/security/28133/what-is-cyber-security" target="_blank" data-original-url="https://www.itpro.com/security/28133/what-is-cyber-security">cyber security</a> research then these would be the calibre of hackers it employed. Seriously, the Project Zero researchers are drawn from some of the best in their respective fields. Which is why when it issues reports, they’re well worth reading. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a></p></div></div><p>Take the <a href="https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html" target="_blank">analysis of zero-days disclosed by Project Zero across 2021</a>. The obvious headline takeaway is that 2021 broke the record for number of zero-days across multiple platforms, 58 if you care about such things, and ditto for those impacting <a href="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox" target="_blank" data-original-url="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox">Google Chrome</a>, at 14. Another potential takeaway is that despite the maturity of Google’s security ecosystem, a team of truly “elite” researchers can still <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" target="_blank" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">find this number of zero-days</a>. </p><p>Another possible takeaway is that the vast majority of them fell into the same-old-same-old category of memory corruption vulnerabilities enabling the exploits. Although this is a tried and tested method, it’s not a tired one. Indeed, that so many zero-day exploits were going down that route demonstrates how important this class of vulnerability is and how much further there is to travel for DevSec folk. </p><p>“Memory corruption vulnerabilities have been the standard for attacking software for the last few decades, and it’s still how attackers are having success,” said Maddie Stone, the Project Zero researcher behind the analysis. Stone also made the point that while it’s great finding zero-days, and the improvement amongst researchers in being able to do so, there’s a “lot more improving to be done”. </p><p>That attackers are, on the whole, sticking to legacy exploit techniques should be a huge concern to the tech industry as a whole, but it’s also a huge opportunity to close them out by putting a greater focus on closing those rogue code gaps.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/spyware/30001/what-is-spyware" data-original-url="/spyware/30001/what-is-spyware">What is spyware?</a></p></div></div><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="rNAQoa9nwMcMG72HQokQfh" name="rNAQoa9nwMcMG72HQokQfh.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/rNAQoa9nwMcMG72HQokQfh.jpg" mos="https://cdn.mos.cms.futurecdn.net/rNAQoa9nwMcMG72HQokQfh.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Storage's role in addressing the challenges of ensuring cyber resilience</strong></p><p class="fancy-box__body-text">Understanding the role of data storage in cyber resiliency</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/368461/storages-role-in-addressing-the-challenges-of-ensuring-cyber" data-original-url="/security/cyber-attacks/368461/storages-role-in-addressing-the-challenges-of-ensuring-cyber">FREE DOWNLOAD</a></p></div></div><p>What really stood out to me from the 58 zero-days detailed in this report was that only two of them made the researchers go “wow”, and that they avoided the memory corruption methodology completely. Both targeted Apple users, via <a href="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you" target="_blank" data-original-url="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you">iOS</a> and iMessage respectively, and both invested in novel exploit techniques with great impact. How great? If I said “<a href="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers" target="_blank" data-original-url="https://www.itpro.com/security/spyware/361639/apple-sues-nso-group-over-pegasus-attacks-on-its-customers">NSO Pegasus</a>” that should be enough to get your head spinning into overdrive. </p><p>The two exploits were singled out as, firstly an iOS security sandbox escape that only used logic bugs to work and, secondly, a zero-click iMessage exploit in reality rather than the realm of hyperbolic headlines. The Project Zero researchers described the latter as being “one of the most technically sophisticated exploits” they had ever seen, according to the report. </p><p>“Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations,” the report said. “It’s not as fast as <a href="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it" target="_blank" data-original-url="https://www.itpro.com/development/30202/what-is-javascript-and-why-should-i-learn-it">JavaScript</a>, but it’s fundamentally computationally equivalent.” </p><p>I’ll add my wow into the mix at this point.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple breaks update policy to secure older iPhones and iPads against zero-day ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/368941/apple-breaks-update-policy-to-secure-older-iphones-and-ipads-against-zero-days</link>
                                                                            <description>
                            <![CDATA[ It's been four years since the company patched an end-of-life device against a major vulnerability ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">whTh9LgJEp3GMoqQRiUHew</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/LEXWMhknDpUNcoHiaVoNJ8-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 01 Sep 2022 10:06:04 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/LEXWMhknDpUNcoHiaVoNJ8-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Gold Apple iPhone 5s held against a gold iPhone 6s by a woman in an Apple store]]></media:description>                                                            <media:text><![CDATA[Gold Apple iPhone 5s held against a gold iPhone 6s by a woman in an Apple store]]></media:text>
                                <media:title type="plain"><![CDATA[Gold Apple iPhone 5s held against a gold iPhone 6s by a woman in an Apple store]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/LEXWMhknDpUNcoHiaVoNJ8-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has made a rare exception to its policy of not patching older-than-officially-supported devices by releasing security updates for the iPhone 5s and newer following the ‘severe’ zero-days discovered in August.</p><p>The zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey essentially granted “administrative superpowers” to hackers, according to some security researchers.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs" data-original-url="/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs">Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/367344/report-apple-neglects-to-patch-zero-days-for-older-macos-versions" data-original-url="/security/367344/report-apple-neglects-to-patch-zero-days-for-older-macos-versions">Report: Apple "neglects" to patch zero-days for older macOS versions</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days" data-original-url="/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days">Apple releases emergency patch fixing zero-days across iOS and macOS</a></p></div></div><p>The two ‘critical’ vulnerabilities could be chained together to gain control of an entire device with kernel privileges, Apple said at the time.</p><p>It meant attackers who managed a maliciously crafted web page could exploit an Apple device and assume control of features like the camera and microphone, and carry out other activities such as spying on apps and accessing nearly all data stored on the device.</p><p>Apple very rarely breaks its own policy of not applying <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">security patches</a> to unsupported devices. Apple currently supports iPhones as old as the iPhone 6, but <a href="https://support.apple.com/en-us/HT213428">this week’s updates</a> push fixes to devices such as the iPhone 5s, iPad Air, iPad Mini 2, and the iPod touch (6th generation).</p><p>The last time it issued a backported fix for a major vulnerability <a href="https://support.apple.com/en-us/HT208397">was in 2018</a> when it updated older Macs to protect against the infamous <a href="https://www.itpro.com/exploits/30478/what-are-meltdown-and-spectre-and-are-you-affected" data-original-url="https://www.itpro.com/exploits/30478/what-are-meltdown-and-spectre-and-are-you-affected">Meltdown vulnerability</a> affecting most Intel chips in use at the time of discovery.</p><p>The discovery of Meltdown was a significant one - Intel was the dominant chipmaker, for some time, in the PC and Mac market and the vulnerability was found to affect nearly every Intel chip from the previous 20 years. </p><p>The exploitation of Meltdown would allow attackers to ‘melt’ the kernel-level restrictions on the chip’s hardware and potentially access highly sensitive protected data.</p><p>It’s common for tech companies to decide when a device goes ‘end of life’ - the point at which it will no longer receive security updates. It can make the creation and management of security fixes easier but companies have drawn criticism over the practice which has been seen by some as a way of forcing users to pay for newer hardware sooner than needed.</p><p>Apple, however, is known to be one of the companies that offer the most amount of updates to older hardware with the current policy extending to iPhone 6 devices, released in September 2014 - eight years ago.</p><p>Other manufacturers in the Android ecosystem offer comparatively fewer updates for their devices. The generally perceived average is that Android OS devices will receive three years of security updates.</p><p>This can vary by manufacturer, though. For example, Samsung offers four years of security updates (<a href="https://www.itpro.com/mobile/mobile-phones/360056/samsung-to-support-enterprise-devices-with-five-years-of-android" data-original-url="https://www.itpro.com/mobile/mobile-phones/360056/samsung-to-support-enterprise-devices-with-five-years-of-android">five for enterprise devices</a>) and other companies like Xiaomi offer no guarantees on the number of security updates they will provide users.</p><h2 id="the-apple-zero-days-explained-and-analysed">The Apple zero-days explained and analysed</h2><p>Apple fixed two <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a>, that may have been actively exploited in the wild, earlier in August. </p><p>The first of these, tracked as CVE-20220-32893, was a remote code execution (RCE) flaw in WebKit, Apple’s proprietary browser engine. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="X45j9iJmNPhLBRNurdifFT" name="X45j9iJmNPhLBRNurdifFT.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/X45j9iJmNPhLBRNurdifFT.jpg" mos="https://cdn.mos.cms.futurecdn.net/X45j9iJmNPhLBRNurdifFT.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Cyber resiliency and end-user performance</strong></p><p class="fancy-box__body-text">Reduce risk and deliver greater business success with cyber-resilience capabilities</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/368832/cyber-resiliency-and-end-user-performance" data-original-url="/security/368832/cyber-resiliency-and-end-user-performance">FREE DOWNLOAD</a></p></div></div><p>The vulnerability was exploitable in any WebKit-enabled browser such as Safari and all in-app browsers on iOS and iPadOS. It meant that nearly all devices could be exploited given the prevalence of in-app browser use, regardless of whether the user’s default <a href="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox" data-original-url="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox">browser</a> was changed from Safari or not.</p><p>The second flaw, tracked as CVE-2022-32894, was a bug that required the attacker to gain an initial foothold on the target device to exploit it. The aforementioned WebKit vulnerability would have granted the necessary privileges to exploit the second.</p><p>It was a kernel-level code execution bug and the pair together garnered widespread attention from the world’s media given the severity of the potential outcomes.</p><p>Apple releases security updates for its devices usually, at least, every month so it’s not uncommon for users to skip an update or two due to the time it takes to download and install them on each device.</p><p>The widespread reporting on the vulnerabilities could have influenced Apple to break its policy on providing security fixes for end-of-life devices - Apple has not commented on this explicitly, though.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/368841/apple-patches-superpower-zero-days-affecting-iphones-ipads-and-macs</link>
                                                                            <description>
                            <![CDATA[ The RCE and kernel-level bugs may have been actively exploited and could give high-level privileges to attackers ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">tMZ4LEDrLTrg3iqnggsMkx</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5ZTNVsy5m5Zunicxnf8EmX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 18 Aug 2022 10:09:34 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5ZTNVsy5m5Zunicxnf8EmX-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A symbol of a white padlock inside the outline of a shield on a red microchip]]></media:description>                                                            <media:text><![CDATA[A symbol of a white padlock inside the outline of a shield on a red microchip]]></media:text>
                                <media:title type="plain"><![CDATA[A symbol of a white padlock inside the outline of a shield on a red microchip]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5ZTNVsy5m5Zunicxnf8EmX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has fixed two zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey that may have been actively exploited.</p><p>The first exploit is a remote code execution (RCE) flaw affecting Apple’s proprietary browser engine WebKit, tracked as CVE-20220-32893.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution" data-original-url="/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution">Apple fixes array of iOS, macOS zero-days and code execution security flaws</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit" data-original-url="/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit">Apple users told to update their devices to fix critical WebKit flaw</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days" data-original-url="/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days">Apple releases emergency patch fixing zero-days across iOS and macOS</a></p></div></div><p>An attacker could maliciously alter a web page and if visited by a WebKit-powered browser, then unauthorised code could run on unpatched devices.</p><p>WebKit is Apple’s browser engine and is naturally used to power the native Safari browser on currently supported iPhones and iPads. It’s also the engine that Apple compels app developers to use when building for its mobile devices.</p><p>This means even Google Chrome has to forfeit its Blink and V8 engines on <a href="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you" data-original-url="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you">iOS</a> and <a href="https://www.itpro.com/software/operating-systems/368110/ipados-16-adds-laptop-style-multitasking" data-original-url="https://www.itpro.com/software/operating-systems/368110/ipados-16-adds-laptop-style-multitasking">iPadOS</a>, and other browsers also have to use WebKit to pass Apple’s App Store checks.</p><p>Other apps that may not be browsers primarily, but have browsing features within them, also use WebKit to display web content which means the vulnerability may have a wide-reaching attack surface.</p><p>Devices affected by CVE-20220-32893 include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation), and macOS Monterrey.</p><p>This vulnerability is the third critical WebKit bug Apple has been made to fix this year after the first two patches were <a href="https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit" data-original-url="https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit">released within weeks of each other</a> at the start of the year.</p><p>The second zero-day exploit patched by Apple on Wednesday is a kernel-level code execution bug that can be abused once an attacker gains an initial foothold on an affected device.</p><p>Tracked as CVE-2022-32894, one way an attacker could achieve that initial foothold is by exploiting the aforementioned WebKit flaw, <a href="https://nakedsecurity.sophos.com/2022/08/18/apple-patches-double-zero-day-in-browser-and-kernel-update-now">according to researchers at Sophos</a>. </p><p>This means an attacker “could jump from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring the sort of ‘administrative superpowers’ normally reserved for Apple itself,” said Paul Ducklin, principal research scientist at Sophos.</p><p>Such privileges could afford an attacker the ability to carry out activities such as spying on apps, accessing nearly all data on the device, retrieving locations, using cameras, taking screenshots, activating the microphone, and more, he said.</p><p>Like the WebKit flaw, the code required to exploit this vulnerability would have to be embedded within a maliciously crafted web page and executed after the WebKit vulnerability had already been exploited.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="X45j9iJmNPhLBRNurdifFT" name="X45j9iJmNPhLBRNurdifFT.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/X45j9iJmNPhLBRNurdifFT.jpg" mos="https://cdn.mos.cms.futurecdn.net/X45j9iJmNPhLBRNurdifFT.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Cyber resiliency and end-user performance</strong></p><p class="fancy-box__body-text">Reduce risk and deliver greater business success with cyber-resilience capabilities</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/368832/cyber-resiliency-and-end-user-performance" data-original-url="/security/368832/cyber-resiliency-and-end-user-performance">FREE DOWNLOAD</a></p></div></div><p>This zero-day also affects all the aforementioned iPhone and iPad devices, in addition to Macs running macOS Monterrey.</p><p>Both issues were caused by an out-of-bounds write issue and were addressed by improving the bounds checking of the vulnerable components.</p><p>The two vulnerabilities patched by Apple on Wednesday represent the sixth and seventh zero-day exploits that Apple has been forced to fix this year.</p><p>The company also patched a swathe of <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a> in 2021 including the <a href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">ForcedEntry exploit</a> used by the notorious <a href="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus" data-original-url="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus">Pegasus spyware developed by NSO Group</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Dogwalk RCE variant among 121 vulnerabilities fixed in Microsoft's August Patch Tuesday ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/368779/dogwalk-rce-variant-among-121-vulnerabilities-fixed-in-microsofts-patch-tuesday</link>
                                                                            <description>
                            <![CDATA[ The second-biggest security update released by Microsoft this year featured 17 critical-rated RCEs and privilege escalation bugs ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">svYpEthqRNs3mih1iVmpwd</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/7VYEef5aeuutQXcvxqPgUc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 10 Aug 2022 11:03:29 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/7VYEef5aeuutQXcvxqPgUc-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Microsoft Windows 11 logo on a smartphone set against a background of neon blue code on a screen to denote a cyber security theme]]></media:description>                                                            <media:text><![CDATA[Microsoft Windows 11 logo on a smartphone set against a background of neon blue code on a screen to denote a cyber security theme]]></media:text>
                                <media:title type="plain"><![CDATA[Microsoft Windows 11 logo on a smartphone set against a background of neon blue code on a screen to denote a cyber security theme]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/7VYEef5aeuutQXcvxqPgUc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has patched 17 ‘critical’ vulnerabilities and one remote code execution (RCE) zero-day in its August monthly Patch Tuesday.</p><p>A total of 121 vulnerabilities were patched in the Tuesday update, as well as 20 additional Chromium-based Microsoft Edge flaws on Friday 5 August.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/software/microsoft-office/368776/microsoft-marks-onedrive-anniversary-with-a-design-overhaul" data-original-url="/software/microsoft-office/368776/microsoft-marks-onedrive-anniversary-with-a-design-overhaul">Microsoft marks OneDrive's 15th anniversary with a design overhaul</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/collaboration/368777/barclays-strikes-deal-with-microsoft-to-migrate-staff-to" data-original-url="/business-strategy/collaboration/368777/barclays-strikes-deal-with-microsoft-to-migrate-staff-to">Barclays strikes deal with Microsoft to migrate staff to Teams</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/368424/six-cyber-security-companies-to-watch-in-2022" data-original-url="/security/cyber-security/368424/six-cyber-security-companies-to-watch-in-2022">Six cyber security companies to watch in 2022</a></p></div></div><p>Impacting Microsoft Windows Support Diagnostic Tool (MDST), the zero-day vulnerability (CVE-2022-34713) is among the most notable fixes this month and is a variant of the previously disclosed ‘Dogwalk’, Microsoft said.</p><p>Rated 7.8 on the CVSSv3 severity scale, it can be exploited by tricking a target into opening a malicious document via email phishing, or through an attacker-controlled website that hosts a malicious file.</p><p>Dogwalk drew major attention in May 2022 but dates back to an initial discovery in 2020. It was ‘lazily’ named by a security researcher who was walking his dog at the time of being asked to name it, <a href="https://twitter.com/GossiTheDog/status/1554728053678522369">he claimed</a>. </p><p>The vulnerability itself is a path traversal flaw in MDST affecting Windows 7 devices or newer. To exploit it, targets have to become infected with a malicious .diagcab file which drops the payload into the Windows Startup folder and executed by Windows when the user next logs in, according to an <a href="https://socprime.com/blog/dogwalk-vulnerability-detection-new-path-traversal-flaw-in-microsoft-windows">analysis</a> by SOC Prime.</p><p>A <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> is one that has been previously disclosed publicly and with active exploitation spotted. A separate RCE flaw in MDST (CVE-2022-35743) was also patched this month, but active exploitation has not been found and therefore cannot be considered a zero-day.</p><p>Microsoft categorised 17 of the now-patched vulnerabilities as ‘critical’ since they facilitated the elevation of privileges and RCE. Only three of the 121 total flaws were classified as ‘critical’ on the CVSSv3 severity scale - vulnerabilities with scores between 9.0 and 10.0.</p><p>All three of the most severe vulnerabilities were all RCEs with one affecting Windows Network File System (NFS) (CVE-2022-34715) and two separate flaws impacting the Windows Point-to-Point Protocol (PPP) (CVE-2022-30133 and CVE-2022-35744).</p><p>CVE-2022-34715 was classed as a low-complexity <a href="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities" data-original-url="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities">exploit</a> by Microsoft and involves an attacker making an unauthenticated call to an NFS service (version 4.0) to trigger an RCE.</p><p>Although rated 9.8/10.0 on the CVSSv3 scale, Microsoft branded this vulnerability as ‘important’ - the second-highest severity rating because a target would be presented with a prompt or warning during the <a href="https://www.itpro.com/cyber-attacks/31436/what-is-a-cyber-kill-chain" data-original-url="https://www.itpro.com/cyber-attacks/31436/what-is-a-cyber-kill-chain">kill chain</a>.</p><p>CVE-2022-30133 and CVE-2022-35744 were both rated 9.8/10.0 on the CVSSv3 scale and also classified as ‘critical’ by Microsoft since RCE could be achieved without any user intervention at all.</p><p>In both cases, an unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), Microsoft said, which could lead to RCE on the RAS server machine.</p><p>The remaining critical-rated vulnerabilities, as classified by Microsoft, all fell below the ‘critical’ threshold of the CVSSv3 scale but require no user intervention to exploit them.</p><p>The remaining flaws impacted the following: Active Directory Domain Services, Windows Secure Socket Tunneling Protocol, Windows Hyper-V, SMB Client and Server, and Microsoft Exchange Server.</p><p>The full list of fixed vulnerabilities can be found on Microsoft’s <a href="https://msrc.microsoft.com/update-guide/vulnerability">dedicated web page</a>. </p><p>August’s Patch Tuesday marks the second-biggest round of updates in 2022, behind April’s which <a href="https://www.itpro.com/security/367413/microsofts-massive-145-vulnerability-patch-tuesday-fixes-ten-critical-exploits" data-original-url="https://www.itpro.com/security/367413/microsofts-massive-145-vulnerability-patch-tuesday-fixes-ten-critical-exploits">fixed 145 different flaws</a>.</p><p>Early reports from system administrator communities are indicating that the updates are applying successfully and not impacting any wider components as Patch Tuesday updates have in the past. </p><p>Earlier this year, Windows Server admins collectively agreed to <a href="https://www.itpro.com/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches" data-original-url="https://www.itpro.com/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches">forgo a month of patches</a> due to the security updates causing other services in their IT environments to break.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Actively exploited zero-day and four 'critical' vulnerabilities fixed in Microsoft's July Patch Tuesday ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/vulnerability/368532/actively-exploited-zero-day-and-four-critical-vulnerabilities-fixed-microsoft-patch-tuesday</link>
                                                                            <description>
                            <![CDATA[ The month's list of 84 bug fixes has been branded "boring" by some experts but should be welcome news to security personnel ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kXu8ZoYn3wbYUzwSxDZiML</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/88feVG4wzJfrBkDex8GRwm-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 13 Jul 2022 09:56:04 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/88feVG4wzJfrBkDex8GRwm-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A padlock graphic on an abstract digital background]]></media:description>                                                            <media:text><![CDATA[A padlock graphic on an abstract digital background]]></media:text>
                                <media:title type="plain"><![CDATA[A padlock graphic on an abstract digital background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/88feVG4wzJfrBkDex8GRwm-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft’s latest monthly security updates for July have been released this week, with 84 total vulnerabilities fixed including one actively exploited zero-day.</p><p>The zero-day (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047">CVE-2022-22047</a>) is a privilege escalation flaw affecting Windows Client/Server Runtime Submission (CSRSS), the exploitation of which could grant attackers system privileges.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/368519/microsoft-makes-windows-autopatch-generally-available-to-enterprise-users" data-original-url="/security/368519/microsoft-makes-windows-autopatch-generally-available-to-enterprise-users">Microsoft makes Windows Autopatch generally available to enterprise users</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/infrastructure/server-storage/367663/windows-admin-patch-tuesday-authentication-bug" data-original-url="/infrastructure/server-storage/367663/windows-admin-patch-tuesday-authentication-bug">Windows Server admins say latest Patch Tuesday broke authentication policies</a></p></div></div><p>It has been given a CVSSv3 score of 7.8/10 - a ‘high’ rating - and Tenable <a href="https://www.tenable.com/blog/microsofts-july-2022-patch-tuesday-addresses-84-cves-cve-2022-22047">said</a> it is a vulnerability that is most likely to be used after initially gaining a foothold in an organisation. </p><p>“This type of vulnerability is likely to have been used as part of post-compromise activity, once an attacker has gained access to their targeted system and run a specially crafted application,” it <a href="https://www.tenable.com/blog/microsofts-july-2022-patch-tuesday-addresses-84-cves-cve-2022-22047">said</a>.</p><p>No other details on the zero-day have been released other than Microsoft’s assessment that exploitation requires a low level of complexity, albeit through a local attack vector.</p><p>This means an attacker would either have to have their hands on the victim’s keyboard or be able to control a machine remotely, supporting Tenable’s conclusion that it would likely be used after initially compromising an organisation.</p><p>Given that CVE-2022-22047 is the only actively exploited bug in this month’s list of patches, businesses are more seriously advised to patch this one especially.</p><p>The US’ cyber security authority CISA <a href="https://www.cisa.gov/uscert/ncas/current-activity/2022/07/12/cisa-adds-one-known-exploited-vulnerability-catalog">added the zero-day to its list of mandatory patches</a> that all federal civilian and executive branch agencies must deploy pursuant to the binding operational directive 22-01, <a href="https://www.itpro.com/security/vulnerability/361441/cisa-federal-agencies-cyber-security-patch-deadlines" data-original-url="https://www.itpro.com/security/vulnerability/361441/cisa-federal-agencies-cyber-security-patch-deadlines">first imposed last year</a> but regularly updated since.</p><p>Four critical-rated vulnerabilities were fixed in this month’s ‘Patch Tuesday’, though none of these are believed to have been actively exploited. </p><p>The first of these is <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30222">CVE-2022-30222</a> which has been given a CVSSv3 score of 8.4/10. The remote code execution (RCE) vulnerability affects PCs with a Japanese language pack installed and attackers can use the input method editor (IME) to gain system privileges.</p><p>An IME is software that allows users to input characters that aren’t typically supported by qwerty keyboards. Users type combinations of keys to display characters that otherwise aren’t present on their keyboard, rather than hitting dedicated buttons for specific characters.</p><p>CVE-2022-30216 received a severity rating of 8.8/10 and is a Windows Server service tampering vulnerability, the exploitation of which is “more likely” according to Microsoft.</p><p>To exploit <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30216">the bug</a>, an attacker would need to be authenticated which may limit the real-world effectiveness, unless the attacker could upload a malicious certificate to the Windows Server service.</p><p>Another 8.8-rated bug was <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30221">CVE-2022-30221</a>, an RCE flaw affecting the Windows Graphics Component. Exploitation is less likely with this one given that a victim would have to be convinced to connect to a remote desktop protocol (RDP) server, limiting real-world impact. </p><p>Regardless, if a business’ employee was convinced to join an attacker-controlled RDP server, they could exploit the flaw to execute code on the victim’s system.</p><p>The final ‘critical’ vulnerability for this month is the 8.8-rated CVE-2022-20226, a privilege escalation bug again affecting Windows CSRSS, like the aforementioned <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a>. </p><p>Exploitation is assessed as “less likely” again by Microsoft, but an authenticated attacker could send a specially crafted request to the CSRSS to elevate their privileges from AppContainer to the system, before executing code or accessing resources.</p><p>In summary, July’s Patch Tuesday has been <a href="https://twitter.com/GossiTheDog/status/1546918839740407808">described by some experts as “boring”</a> given the low number of seriously threatening security vulnerabilities <a href="https://www.itpro.com/security/367413/microsofts-massive-145-vulnerability-patch-tuesday-fixes-ten-critical-exploits" data-original-url="https://www.itpro.com/security/367413/microsofts-massive-145-vulnerability-patch-tuesday-fixes-ten-critical-exploits">compared to months gone by</a>.</p><p>For the full list of vulnerabilities and Microsoft’s assessments on each, visit the company’s <a href="https://msrc.microsoft.com/update-guide/vulnerability">dedicated security update guide</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Exploitation of Atlassian Confluence zero-day surges fifteen-fold in 24 hours ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/368086/exploitation-of-atlassian-confluence-zero-day-surges-fifteen-fold</link>
                                                                            <description>
                            <![CDATA[ The zero-day code execution vulnerability was discovered last week and cyber attackers are already capitalising on the proof-of-concept code ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kCeANUDw5sCmPt3WPjLhxg</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/yydKJGAQrQ4uT9zW7ZzgKW-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 06 Jun 2022 10:52:33 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/yydKJGAQrQ4uT9zW7ZzgKW-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Atlassian logo on a smartphone, with the logo on a wall in the background too]]></media:description>                                                            <media:text><![CDATA[Atlassian logo on a smartphone, with the logo on a wall in the background too]]></media:text>
                                <media:title type="plain"><![CDATA[Atlassian logo on a smartphone, with the logo on a wall in the background too]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/yydKJGAQrQ4uT9zW7ZzgKW-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The exploitation of a critical-severity remote code execution (RCE) zero-day flaw in Atlassian Confluence Server and Data Center has increased by nearly fifteen times in the two days since active attacks were first registered.</p><p>Experts at internet security firm GreyNoise said the number of unique IP addresses launching attacks using the RCE flaw, tracked as CVE-2022-26134, has <a href="https://twitter.com/Andrew___Morris/status/1533504231876993025">risen from 28 to 400</a> since Friday when exploitation began.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/360783/us-officials-warn-mass-exploitation-of-atlassian-confluence-flaw" data-original-url="/security/hacking/360783/us-officials-warn-mass-exploitation-of-atlassian-confluence-flaw">US officials warn of “mass exploitation” of Atlassian Confluence flaw</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/360006/atlassian-patches-one-click-flaw-that-allowed-hackers-to-steal-user" data-original-url="/security/vulnerability/360006/atlassian-patches-one-click-flaw-that-allowed-hackers-to-steal-user">Atlassian patches One-Click flaw that allowed hackers to steal user sessions</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/cloud-computing/367395/atlassian-needs-two-weeks-to-fix-cloud-outage" data-original-url="/cloud/cloud-computing/367395/atlassian-needs-two-weeks-to-fix-cloud-outage">Atlassian needs two weeks to fix cloud outage</a></p></div></div><p>Cyber security company Volexity first reported that it discovered the RCE vulnerability over the US’ Memorial Day weekend (28-30 May) after noticing suspicious activity on two internet-facing web servers.</p><p>It was assigned a CVE tracking code on 31 May and Volexity published its findings last week, with a clear rise in active exploits on current versions following a day after, on 3 June.</p><p>Atlassian released a patch for the unauthenticated RCE flaw on Friday, urging all customers to upgrade to the latest version to avoid being targeted by attackers with access to proof-of-concept (PoC) exploit code.</p><p>According to Atlassian, the company has released the following new Confluence versions that all contain a fix for the security issue:</p><ul><li>7.4.17</li><li>7.13.7</li><li>7.14.3</li><li>7.15.2</li><li>7.16.4</li><li>7.17.4</li><li>7.18.1</li></ul><p>Admins who are unable to upgrade to the latest versions of Confluence are advised to mitigate the flaw with a workaround which involves updating several specific .JAR files. More information and full instructions can be found via <a href="https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html">Atlassian’s security advisory</a>.</p><p>An analysis of the situation by Unit 42 revealed nearly 20,00 Confluence servers found to be potentially affected by the exploit as of last week, with most of the victims residing either in the US, German, Russia, and China.</p><p>It also <a href="https://unit42.paloaltonetworks.com/cve-2022-26134-atlassian-code-execution-vulnerability">said</a> there was evidence of early exploitation as far back as 26 May with targets across various industries.</p><p>Volexity said in its initial analysis that early exploits seemed to be conducted by multiple threat actors likely to be operating out of China.</p><h2 id="deconstructing-the-zero-day">Deconstructing the zero-day</h2><p>Volexity’s initial analysis of the zero-day’s exploitation revealed that attackers were using the vulnerability to drop several malicious implants in the form of web shells on victims’ environments.</p><p>Attackers were using the open-source Behinder web server implant previously linked to Chinese threat actors <a href="https://decoded.avast.io/janneduchal/analysis-of-attack-against-national-games-of-china-systems">by Avast</a>.</p><p>“Behinder provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike,” said Volexity. “This method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zN9yq6wvv8oBhbPFBWeEAd" name="zN9yq6wvv8oBhbPFBWeEAd.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/zN9yq6wvv8oBhbPFBWeEAd.jpg" mos="https://cdn.mos.cms.futurecdn.net/zN9yq6wvv8oBhbPFBWeEAd.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Unified endpoint management solutions 2021-22</strong></p><p class="fancy-box__body-text">Analysing the UEM landscape</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/endpoint-security/367050/unified-endpoint-management-solutions-2021-22" data-original-url="/security/endpoint-security/367050/unified-endpoint-management-solutions-2021-22">FREE DOWNLOAD</a></p></div></div><p>“Once Behinder was deployed, the attacker used the in-memory web shell to deploy two additional web shells to disk: China Chopper and a custom file upload shell.”</p><p>The researchers noted that China Chopper was installed but was rarely accessed, according to web logs, leading them to the conclusion that it was installed simply as a means of secondary access.</p><p>Delving further into the web logs, Volexity also discovered the commonly executed commands made by the attackers once they had access.</p><p>Among these were reconnaissance commands - checking the operating system version and examining the contents of password files. </p><p>Attackers then looked for user tables from the Confluence database and dumped them before attempting to deploy anti-analysis tactics by altering web logs to remove evidence of <a href="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities" data-original-url="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities">exploitation</a>.</p><p>They also wrote additional web shells to the victims’ disks, but not all of these could be recovered, Volexity said.</p><p>Specific details regarding how the exploit takes place have not been made public, but Tenable <a href="https://www.tenable.com/blog/cve-2022-26134-zero-day-vulnerability-in-atlassian-confluence-server-and-data-center-exploited">said</a> that past attacks on Atlassian Confluence have involved sending specially crafted requests to vulnerable Confluence Server or Data Center instances to execute code and fully take over the system.</p><p>One of the most recent examples of attacks on Confluence came less than a year ago when the <a href="https://www.itpro.com/security/hacking/360783/us-officials-warn-mass-exploitation-of-atlassian-confluence-flaw" data-original-url="https://www.itpro.com/security/hacking/360783/us-officials-warn-mass-exploitation-of-atlassian-confluence-flaw">US Cyber Command warned of a highly exploitable flaw</a> that led to code execution. </p><p>That security incident came three months after a separate <a href="https://www.itpro.com/security/vulnerability/360006/atlassian-patches-one-click-flaw-that-allowed-hackers-to-steal-user" data-original-url="https://www.itpro.com/security/vulnerability/360006/atlassian-patches-one-click-flaw-that-allowed-hackers-to-steal-user">one-click flaw was found to affect Atlassian Jira</a>, the company’s bug-tracking and project management tool, that allowed hackers to steal sensitive information.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ State-sponsored hackers delay new Microsoft Exchange Server by four years ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/network-internet/mail-servers/368079/state-sponsored-hackers-delay-new-microsoft-exchange-server-four-years</link>
                                                                            <description>
                            <![CDATA[ Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">b15uC8yLjtKQH53ydYxPCc</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bJ9oCEENwLSGt4ZbxEV9hn-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 06 Jun 2022 09:22:53 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Microsoft]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bJ9oCEENwLSGt4ZbxEV9hn-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Laptop computer displaying logo of Microsoft Exchange]]></media:description>                                                            <media:text><![CDATA[Laptop computer displaying logo of Microsoft Exchange]]></media:text>
                                <media:title type="plain"><![CDATA[Laptop computer displaying logo of Microsoft Exchange]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bJ9oCEENwLSGt4ZbxEV9hn-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>State-sponsored cyber attacks on Microsoft Exchange servers throughout 2021 are the reason why the latest version of the on-prem mail and calendaring server will be delayed by four years, Microsoft said.</p><p>A new version of Microsoft Exchange Server was originally on course for an H2 2021 release but Microsoft has updated its roadmap delaying the release to H2 2025 due to the time it took developers to improve security in the wake of the Hafnium attacks.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021" data-original-url="/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021">The scariest security horror stories of 2021</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-warfare/360282/uk-gov-blames-china-for-exchange-server-attack" data-original-url="/security/cyber-warfare/360282/uk-gov-blames-china-for-exchange-server-attack">UK blames China for Microsoft Exchange Server attack</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/358799/hundreds-of-thousands-of-victims-identified-in-microsoft-exchange-server" data-original-url="/security/hacking/358799/hundreds-of-thousands-of-victims-identified-in-microsoft-exchange-server">‘Hundreds of thousands’ of victims in Microsoft Exchange Server attacks</a></p></div></div><p>Hafnium is a state-sponsored hacking group Microsoft has previously said is linked to China. In 2021, Hafnium attacked Microsoft Exchange servers consistently using a flurry of zero-day vulnerabilities to exfiltrate information from victims across various business verticals.</p><p>In addition to an extra four-year wait for the next version, IT admins can expect to hear more about the new features, pricing, requirements, and naming of the updated version in the first half of 2024.</p><p>Microsoft also <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-roadmap-update/ba-p/3421389">said</a> the latest version will require Server licenses and Client Access Licenses (CALs) and will only be accessible to customers with Software Assurance - a service pack that automatically provides customers with licenses to the latest versions of software. </p><p>The current support dates for Exchange Server 2013 (11 April 2023), Exchange Server 2016 (14 October 2025), and Exchange Server 2019 (14 October 2025) are unchanged. </p><p>The next version of Exchange Server will move to Microsoft’s Modern Lifecycle Policy which does not set end-of-life (EOL) dates for products or services but continues to offer support as long as there is demand for it in the market.</p><p>Customers running Exchange Server 2019 may have an easier time upgrading to the new version when the time comes, Microsoft hinted.</p><p>After resolving previously known upgrading issues relating to hardware requirements and mailbox migration, Microsoft is introducing an in-place upgrade capability to Exchange Server 2019 and recommends all customers upgrade to the version “as soon as possible”.</p><h2 id="hafnium-s-server-siege">Hafnium’s server siege</h2><p>Last year, the Chinese-linked state-sponsored hacking group exploited a chain of zero-day vulnerabilities in Microsoft Exchange, leading to hacks on <a href="https://www.itpro.com/security/hacking/358799/hundreds-of-thousands-of-victims-identified-in-microsoft-exchange-server" data-original-url="https://www.itpro.com/security/hacking/358799/hundreds-of-thousands-of-victims-identified-in-microsoft-exchange-server">hundreds of thousands of businesses</a>. </p><p>Microsoft said at the time that the group was known for harvesting data from various types of organisations including those in the medical, education, military, NGO, and policy sectors.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="NeFDhiupASoeoyipbhF9uf" name="NeFDhiupASoeoyipbhF9uf.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/NeFDhiupASoeoyipbhF9uf.jpg" mos="https://cdn.mos.cms.futurecdn.net/NeFDhiupASoeoyipbhF9uf.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The state of brand protection 2021</strong></p><p class="fancy-box__body-text">A new front opens up in the war for brand safety</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/360246/the-state-of-brand-protection-2021" data-original-url="/security/cyber-security/360246/the-state-of-brand-protection-2021">FREE DOWNLOAD</a></p></div></div><p>Based in China but operating from US-based virtual private servers (VPS), <a href="https://www.itpro.com/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack" data-original-url="https://www.itpro.com/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack">Hafnium gained access to Exchange Servers</a>, installed a web shell for remote control, and stole data.</p><p>The White House was especially concerned about the threat to national security and urged all businesses to patch their Exchange servers to the latest version as a matter of priority, at the time.</p><p>More than a month after the exploits became public knowledge, <a href="https://www.itpro.com/server-storage/servers/359207/microsoft-releases-three-new-exchange-server-patches" data-original-url="https://www.itpro.com/server-storage/servers/359207/microsoft-releases-three-new-exchange-server-patches">US government agencies were still finding unpatched Exchange Server vulnerabilities in their systems</a>.</p><p>Experts said that if organisations hadn’t patched on the day of release, there was a strong chance that the environment was already compromised, and the web shell had already been planted.</p><p>It was <a href="https://www.itpro.com/security/cyber-attacks/358817/microsoft-was-aware-of-exchange-vulnerabilities-since-early-january" data-original-url="https://www.itpro.com/security/cyber-attacks/358817/microsoft-was-aware-of-exchange-vulnerabilities-since-early-january">later revealed</a> that Microsoft first became aware of the zero-day exploits in January 2021, two months before Hafnium’s activity ramping up in March.</p><p>Hafnium’s exploit chain was ultimately used in separate attacks throughout the year, namely by the Qakbot and SquirrelWaffle malspam campaigns <a href="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware" data-original-url="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware">spreading via unpatched servers</a> in October 2021.</p><h2 id="microsoft-s-work-so-far">Microsoft’s work so far</h2><p>The delay to the latest version of Microsoft Exchange Server came as a result of Microsoft's security experts being forced to work throughout 2021 to combat the heavy attacks from the exploits used by Hafnium. </p><p>It said that work on the new release was stalled as the team was busy pushing out-of-band security updates, a <a href="https://www.itpro.com/security/cyber-attacks/358907/microsoft-releases-one-click-patch-for-hafnium-vulnerability" data-original-url="https://www.itpro.com/security/cyber-attacks/358907/microsoft-releases-one-click-patch-for-hafnium-vulnerability">one-click mitigation tool</a> - which was later integrated as a core feature of Exchange Server and integrating other services to improve the security of the service for IT admins.</p><p>It also launched a bug bounty programme for Exchange Server and Office Server under the Microsoft Applications and On-Premises Servers Bounty Program to improve the company’s collaboration with the private sector and independent security researchers and ultimately improve the security of Exchange Server.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Chinese hackers exploit Microsoft zero-day as list of vulnerable Office products grows ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/367913/chinese-hackers-exploit-microsoft-zero-day</link>
                                                                            <description>
                            <![CDATA[ Microsoft has published a support guide and temporary workarounds for IT admins to mitigate the threat ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ruUgitvkB9hVzvzYz3NidS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/xrgj9PF6FCZYP28wvvrMNh-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 01 Jun 2022 10:13:40 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Microsoft Office]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                    <category><![CDATA[Microsoft]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/xrgj9PF6FCZYP28wvvrMNh-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Microsoft Office 365 image, with a magnifying glass over Microsoft Word]]></media:description>                                                            <media:text><![CDATA[Microsoft Office 365 image, with a magnifying glass over Microsoft Word]]></media:text>
                                <media:title type="plain"><![CDATA[Microsoft Office 365 image, with a magnifying glass over Microsoft Word]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/xrgj9PF6FCZYP28wvvrMNh-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Microsoft Office zero-day vulnerability reported widely this week is already being used in active attacks by Chinese state-sponsored hackers, a cyber security company has said. </p><p>The advanced persistent threat (APT) group tracked as TA413 has been spotted impersonating the Women’s Empowerment Desk of the Central Tibetan Administration - a genuine division dedicated to issues such as gender equality and combating violence against women.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/367824/fresh-microsoft-office-zero-day-executes-code-on-patched-apps" data-original-url="/security/zero-day-exploit/367824/fresh-microsoft-office-zero-day-executes-code-on-patched-apps">Fresh Microsoft Office zero-day executes code on fully patched applications</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/operating-systems/microsoft-windows/367018/microsoft-defender-false-positive-ransomware-alerts" data-original-url="/operating-systems/microsoft-windows/367018/microsoft-defender-false-positive-ransomware-alerts">Microsoft Defender drops "downpour" of false ransomware alerts on customers</a></p></div></div><p>Proofpoint researchers <a href="https://twitter.com/threatinsight/status/1531688214993555457">said</a> the malicious documents are delivered via zip archives through URLs that aim to imitate the genuine Tibetan government, but didn’t comment on the type of payload that’s delivered. </p><p>The vulnerability that exploits the ms-msdt Microsoft Office Uniform Resource Identifier (URI) scheme is now tracked with <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190">CVE-2022-30190</a> and has been shown to work on all versions of Microsoft Office and Windows Server, including Office 365 which was previously thought to not be vulnerable.</p><p>Successful exploitation of the diagnostic and troubleshooting tool can lead to the execution of malicious code on Windows systems.</p><p>If the malicious document is saved using the Rich Text Format (RTF), code can also be executed by looking up the document in the Windows Explorer preview tab, without even opening it up.</p><h2 id="under-the-radar">Under the radar</h2><p>Since CVE-2022-30190 became <a href="https://www.itpro.com/security/zero-day-exploit/367824/fresh-microsoft-office-zero-day-executes-code-on-patched-apps" data-original-url="https://www.itpro.com/security/zero-day-exploit/367824/fresh-microsoft-office-zero-day-executes-code-on-patched-apps">widely reported this week</a>, it has since emerged that Microsoft was made aware of the vulnerability as far back as 12 April 2022. </p><p>A researcher by the alias of crazyman, who is part of a bug-hunting collective called Shadow Chaser Group, was credited with the discovery once Microsoft assigned the vulnerability a CVE code. </p><p>Crazyman posted proof of their submission to Microsoft online and found an example of in-the-wild exploitation seemingly from a Russian-speaking threat actor more than a month ago.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1531120929321152512"></a></p></blockquote><div class="see-more__filter"></div></div><p>A member of Microsoft Security Response Centre (MSRC) <a href="https://twitter.com/CrazymanArmy/status/1531184830171742209">responded to the submission</a> after looking at it “critically” and decided that it was “not a security-related issue”.</p><p>The team acknowledged that the MSDT scheme was executed as part of the malicious document but since it required a passcode when it started - a passcode that did not work for the MSRC analyst during testing - the case was ultimately closed.</p><p>Independent security researcher and former Microsoft-employed security professional Kevin Beaumont, whose report of the <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> sparked wider interest in it this week, <a href="https://twitter.com/GossiTheDog/status/1531352804115329024">said</a> MSRC’s response sounded like they wanted to re-triage the report, rather than dismiss it entirely. </p><p>On the same day, a threat intelligence researcher at MalwareBytes also discovered the Russian-language maldoc sample but <a href="https://twitter.com/MBThreatIntel/status/1531398009103142912">the cyber security company said</a> the remote template was already down at the time which meant that identification was not possible.</p><h2 id="microsoft-s-guidance">Microsoft’s guidance</h2><p>Along with assigning the zero-day CVE tracking identifier, Microsoft has released <a href="https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability">a support document</a> for Windows and Microsoft Office users, advising of the temporary workarounds they can deploy to mitigate the threat.</p><p>The recommended workaround is to disable the MSDT URI to prevent troubleshooters from being launched as links, including links throughout the operating system.</p><p>Troubleshooters can still be accessed by using the Get Help application, Microsoft said, and through system settings.</p><p>To disable MDST, Microsoft instructed users to do the following:</p><ul><li>Run Command Prompt as Administrator.</li><li>To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt <em>filename</em>”</li><li>Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.</li></ul><p>To undo the workaround - potentially useful information when a full patch is released, users should do the following:</p><ul><li>Run Command Prompt as Administrator.</li><li>To restore the registry key, execute the command “reg import <em>filename</em>”</li></ul><p>It was previously reported that Microsoft Defender for Endpoint did not detect exploitation of CVE-2022-30190 but Microsoft said it now provides alerts in Microsoft 365 Defender portal under the following titles:</p><ul><li>Suspicious behaviour by an Office application</li><li>Suspicious behaviour by Msdt.exe</li></ul><p><a href="https://www.itpro.com/operating-systems/microsoft-windows/367018/microsoft-defender-false-positive-ransomware-alerts" data-original-url="https://www.itpro.com/operating-systems/microsoft-windows/367018/microsoft-defender-false-positive-ransomware-alerts">Microsoft Defender</a> Antivirus also now provides detections for possible exploitation using the following signatures using detection build 1.367.719.0 or newer:</p><ul><li>Trojan:Win32/Mesdetty.A (blocks msdt command line)</li><li>Trojan:Win32/Mesdetty.B (blocks msdt command line)</li><li>Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)</li></ul>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Fresh Microsoft Office zero-day executes code on fully patched applications ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/367824/fresh-microsoft-office-zero-day-executes-code-on-patched-apps</link>
                                                                            <description>
                            <![CDATA[ Malicious documents saved in Rich Text Format are especially concerning since they can execute code without even being opened ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">nfrWhq1aWzdZVEp2TfFFF2</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WuwcJyVUTcRqNytQj4rpwd-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 30 May 2022 09:48:01 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WuwcJyVUTcRqNytQj4rpwd-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A magnifying glass hovering over a PC screen with the symbols for Microsoft Office software displayed]]></media:description>                                                            <media:text><![CDATA[A magnifying glass hovering over a PC screen with the symbols for Microsoft Office software displayed]]></media:text>
                                <media:title type="plain"><![CDATA[A magnifying glass hovering over a PC screen with the symbols for Microsoft Office software displayed]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WuwcJyVUTcRqNytQj4rpwd-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A new Microsoft Office zero-day vulnerability has been discovered by security researchers that leads to code execution.</p><p>The vulnerability involves exploiting maliciously crafted documents (maldocs) to load HTML code which then uses the ms-msdt Microsoft Office Uniform Resource Identifier (URI) scheme to execute PowerShell code.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default" data-original-url="/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default">Microsoft disables VBA macros in Office by default following years of complaints</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/367495/microsofts-secure-vba-macro-rules-already-being-bypassed-by" data-original-url="/security/367495/microsofts-secure-vba-macro-rules-already-being-bypassed-by">Microsoft's secure VBA macro rules already being bypassed by hackers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a></p></div></div><p>Office URIs were introduced in Office 2010 Service Pack 2 and allow Office applications to be invoked using various commands.</p><p>Ms-msdt is a URI that invokes a troubleshooting pack at the command line or as part of an automated script and enables additional options without user input.</p><p>The exploit is an example of ways <a href="https://www.itpro.com/security/367495/microsofts-secure-vba-macro-rules-already-being-bypassed-by" data-original-url="https://www.itpro.com/security/367495/microsofts-secure-vba-macro-rules-already-being-bypassed-by">cyber attackers are bypassing Microsoft’s tougher rules on macro-enabled documents</a> - a method of malware delivery previously very popular until <a href="https://www.itpro.com/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default" data-original-url="https://www.itpro.com/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default">Microsoft’s intervention earlier this year</a>.</p><p>In <a href="https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e">testing the vulnerability</a>, independent security researcher Kevin Beaumont noticed that Defender for Endpoint was not detecting the execution of the code embedded in the maldocs and that it would still work when Office macros were fully disabled.</p><p>Other researchers have <a href="https://twitter.com/_JohnHammond/status/1531149976079945729">spotted</a> Defender for Endpoint and the free version of the <a href="https://www.itpro.com/malware/28153/whats-the-difference-between-antimalware-and-antivirus" data-original-url="https://www.itpro.com/malware/28153/whats-the-difference-between-antimalware-and-antivirus">anti-malware tool</a> picking up the malicious sample, though.</p><p>Beaumont also noted the Office’s limited-functionality Protected View does initiate in the most up-to-date Office versions, requiring the user to click out of the safer mode for the document to execute.</p><p>However, if the maldoc is saved in a Rich Text Format (RTF), then the malicious code can run even if the document hasn’t been opened, via the Windows Explorer preview tab.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1531128757867753472"></a></p></blockquote><div class="see-more__filter"></div></div><p>Beaumont said he was able to exploit the vulnerability in Office versions 2013 and 2016, and added that he was unable to reproduce the exploit on the current public and insider builds.</p><p>Other researchers have been able to test the vulnerability further, with one achieving a working exploit <a href="https://twitter.com/buffaloverflow/status/1530866518279565312?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1530866518279565312%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Ftype%3Dtext2Fhtmlkey%3Da19fcc184b9711e1b4764040d3dc5c07schema%3Dtwitterurl%3Dhttps3A%2F%2Ftwitter.com%2Fbuffaloverflow%2Fstatus%2F1530866518279565312image%3Dhttps3A%2F%2Fi.embed.ly%2F1%2Fimage3Furl3Dhttps253A252F252Fabs.twimg.com252Ferrors252Flogo46x38.png26key3Da19fcc184b9711e1b4764040d3dc5c07">using Windows 11 and an April version of Office Pro Plus</a>. Another was <a href="https://www.youtube.com/watch?v=GybD70_rZDs">able to replicate it</a> on a fully patched Microsoft Office 2021.</p><p>Despite it not currently believed to be affecting the most recent versions, Beaumont - a former Microsoft-employed cyber security expert - said the <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a> is still noteworthy given that many businesses run older channels of Office software.</p><p>“Detection is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious,” he said.</p><p>“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking. Microsoft will probably point towards Protected View, however, Protected View also applies by default to all macros, and Office macro <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> is most definitely a major problem regardless.</p><p>“Additionally, you can use MS Protocol URI schemes in Outlook emails,” he added.</p><p>It’s currently unclear how Microsoft intends to respond to the discovery and how quickly a patch will be made available.</p><p><em>IT Pro</em> contacted Microsoft for a response but it did not reply at the time of publication.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Datadog to acquire cyber security startup Hdiv Security ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/367602/datadog-to-acquire-cyber-security-startup-hdiv-security</link>
                                                                            <description>
                            <![CDATA[ The acquisition will help Datadog boost its Cloud Security platform's application security capabilities ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">pita142k2K52Wybw6L5hSn</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ucdeWPpK8UiaDVLgJ87X9J-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 06 May 2022 13:06:55 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Acquisition]]></category>
                                                    <category><![CDATA[Business]]></category>
                                                                                                                    <dc:creator><![CDATA[ Praharsha Anand ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ucdeWPpK8UiaDVLgJ87X9J-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A person holding a smartphone in front of the Datadog logo]]></media:description>                                                            <media:text><![CDATA[A person holding a smartphone in front of the Datadog logo]]></media:text>
                                <media:title type="plain"><![CDATA[A person holding a smartphone in front of the Datadog logo]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ucdeWPpK8UiaDVLgJ87X9J-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Datadog has announced its plans to acquire security software provider Hdiv Security for an undisclosed sum.</p><p>Hdiv Security is best known for its RASP security technology that provides applications, <a href="https://www.itpro.com/strategy/28878/what-are-microservices" data-original-url="https://www.itpro.com/strategy/28878/what-are-microservices">microservices</a>, and <a href="https://www.itpro.com/application-programming-interface-api/33557/the-api-economy-what-your-business-needs-to-know" data-original-url="https://www.itpro.com/application-programming-interface-api/33557/the-api-economy-what-your-business-needs-to-know">APIs</a> protection by flagging both known and unknown <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">(zero-day) vulnerabilities</a> at runtime. The early vulnerability assessment allows for quick remediation, lowering the risk of a security breach.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/367546/datadogs-asm-platform-unmasks-attack-flows-at-code-level" data-original-url="/security/367546/datadogs-asm-platform-unmasks-attack-flows-at-code-level">Datadog's ASM platform unmasks attack flows at code level</a></p></div></div><p>Hdiv Security’s unified application security solutions will add to Datadog's Cloud Security platform. The fusion will lead to an integrated approach to application security, according to Datadog.</p><p>Hdiv Security’s threat detection capabilities also complement Datadog’s latest <a href="https://www.itpro.com/security/367546/datadogs-asm-platform-unmasks-attack-flows-at-code-level" data-original-url="https://www.itpro.com/security/367546/datadogs-asm-platform-unmasks-attack-flows-at-code-level">Application Security Monitoring (ASM) platform</a> that alerts organizations to atypical application behavior through distributed tracing.</p><p>"Combining security and observability provides Datadog customers unique insights into sensitive services that are vulnerable or under attack," said Pierre Betouin, VP of product and cloud security platform at Datadog.</p><p>"Adding Hdiv Security's capabilities to Datadog's Cloud Security Platform will deepen security visibility across the entire software life cycle to help our customers develop more secure and resilient applications," added Betouin.</p><p>The Datadog-Hdiv Security acquisition deal is slated to close by the third quarter of the current fiscal year, pending regulatory approvals.</p><p>"Our focus at Hdiv Security has always been on detecting security vulnerabilities and protecting software, regardless of where it is deployed. Datadog is the perfect partner to advance this mission to continuously and accurately detect vulnerabilities in applications," commented Roberto Velasco, founder and CEO of Hdiv Security.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Report: Apple "neglects" to patch zero-days for older macOS versions ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/367344/report-apple-neglects-to-patch-zero-days-for-older-macos-versions</link>
                                                                            <description>
                            <![CDATA[ Analysis shows large proportion of Macs in operation remain unprotected to the actively exploited flaws patched last week ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kmeqhwo4i16D48b86mNgAR</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/2up96cQ2kaswZgTGTa6tSF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 06 Apr 2022 10:58:57 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/2up96cQ2kaswZgTGTa6tSF-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Apple logo displayed next to a promotional poster for macOS Big Sur]]></media:description>                                                            <media:text><![CDATA[The Apple logo displayed next to a promotional poster for macOS Big Sur]]></media:text>
                                <media:title type="plain"><![CDATA[The Apple logo displayed next to a promotional poster for macOS Big Sur]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/2up96cQ2kaswZgTGTa6tSF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Software security company Intego estimates around 35-40% of all Mac computers are currently vulnerable to zero-days Apple 'neglected' to patch.</p><p>The two actively exploited zero-day vulnerabilities were addressed by Apple in an earlier security fix, but it failed to release patches for older versions of macOS, namely Big Sur and Catalina.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days" data-original-url="/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days">Apple releases emergency patch fixing zero-days across iOS and macOS</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hardware/tablets/365082/apple-ipad-air-2020-review-the-executives-choice" data-original-url="/hardware/tablets/365082/apple-ipad-air-2020-review-the-executives-choice">Apple iPad Air (2020) review: The executive’s choice</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="/security/27713/the-importance-and-benefits-of-effective-patch-management">Patch management vs vulnerability management</a></p></div></div><p>Apple released an <a href="https://www.itpro.com/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days" data-original-url="https://www.itpro.com/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days">emergency patch for two zero-days last week</a>, tracked as CVE-2022-22674 and CVE-2022-22675, both of which Apple said was under active exploitation.</p><p>Both security vulnerabilities affected macOS and the latter (CVE-2022-22675) also affected iOS and iPadOS too, said Joshua Long, chief security analyst at Intego. Some older versions such as iOS 14 were also neglected in last week’s patch but this could be explained by Apple “quietly” ending support for iOS 14 in January 2022. </p><p>“Both of these macOS versions are ostensibly still receiving patches for ‘significant vulnerabilities’ - and actively exploited <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a> certainly qualify as significant,” said Long in a <a href="https://www.intego.com/mac-security-blog/apple-neglects-to-patch-zero-day-wild-vulnerabilities-for-macos-big-sur-catalina">blog post</a>. </p><p>“Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.”</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="NhMQzdZrFWPUNLGH4vbCi8" name="NhMQzdZrFWPUNLGH4vbCi8.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/NhMQzdZrFWPUNLGH4vbCi8.png" mos="https://cdn.mos.cms.futurecdn.net/NhMQzdZrFWPUNLGH4vbCi8.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The state of SD-WAN, SASE and zero trust security architectures</strong></p><p class="fancy-box__body-text">Be a leader in the deployment of zero trust, SD-WAN and SASE</p><p class="fancy-box__body-text">FREE DOWNLOAD</p></div></div><p>Long said Catalina does not have the vulnerable component, AppleAVD, involved in CVE-2022-22675 so is not vulnerable to this specifically. However, it is believed to be vulnerable to CVE-2022-22674 and Big Sur is believed to be vulnerable to both.</p><p>Apple has reportedly not responded to Intego’s requests for clarity on why the older macOS versions have not received the <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">security patches</a>, despite still receiving security updates more generally.</p><p>Long pointed out that this isn’t the first time Apple has neglected older macOS versions in security updates. According to the security analyst, Apple failed to patch two out of the total seven WebKit vulnerabilities found in Safari back in October for macOS Big Sur and Catalina too.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1453841355176693760"></a></p></blockquote><div class="see-more__filter"></div></div><p>“A preliminary assessment of just the first round of patches at macOS Monterey’s release in October 2021 indicated that there may have already been well over a dozen vulnerabilities that were not patched for previous macOS versions,” said Long.</p><p>Back when Big Sur was the newest macOS version running on Apple computers, the researcher’s analysis showed less than half of the hundreds of security vulnerabilities known at the time were fixed for the then-three most recent macOS versions.</p><p>Around 16% were patched for the most recent two versions and 34% were patched only for the most recent, Big Sur.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple releases emergency patch fixing zero-days across iOS and macOS ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/367277/apple-emergency-patch-fixing-ios-macos-zero-days</link>
                                                                            <description>
                            <![CDATA[ Flaws have been fixed on iPhones, iPads, and Macs, as well as undisclosed vulnerabilities on Apple TV and Apple Watch devices ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">psX3UenJHeUQP91PAqPbEh</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/wjazAriT7Av6xk2iikTCUN-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 01 Apr 2022 09:04:29 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/wjazAriT7Av6xk2iikTCUN-1280-80.jpg">
                                                            <media:credit><![CDATA[IT Pro]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of iPhone 13 on a white background]]></media:description>                                                            <media:text><![CDATA[Image of iPhone 13 on a white background]]></media:text>
                                <media:title type="plain"><![CDATA[Image of iPhone 13 on a white background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/wjazAriT7Av6xk2iikTCUN-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has released a set of emergency security updates for iPhone, iPad, and Mac following the discovery of two new zero-day vulnerabilities that were actively being exploited.</p><p>An anonymous researcher made Apple aware of the security issues, which are tracked as CVE-2022-22674 and CVE-2022-22675 respectively.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution" data-original-url="/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution">Apple fixes array of iOS, macOS zero-days and code execution security flaws</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit" data-original-url="/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit">Apple users told to update their devices to fix critical WebKit flaw</a></p></div></div><p>The first issue (CVE-2022-22674) only affects Macs, and more specifically the Intel Graphics Driver. Apple said the vulnerability involved an out-of-bounds read issue that could lead to the disclosure of kernel memory.</p><p>Apple believes the issue may have been exploited by hackers in the past and has fixed it by improving input validation, it said in an <a href="https://support.apple.com/en-gb/HT201222">advisory</a>.</p><p>Out-of-bounds read flaws typically allow attackers to read sensitive information from other memory locations, or cause a crash on the device.</p><p>The second vulnerability (CVE-2022-22675) affects iPhones, iPads, and Macs. A flaw in AppleAVD, an audio/video decoding framework used by Apple devices, allowed for arbitrary code to be executed with kernel privileges. The vulnerability, also believed to have been exploited in the past, was caused by an out-of-bounds write issue that Apple fixed by improving bounds checking.</p><p>Similar to out-of-bounds read issues, out-of-bounds write flaws occur when software modifies an index or performs pointer arithmetic that references a memory location outside of the buffer’s boundaries. This can lead to data corruption, a device crash, or, in this case, code execution.</p><p>Apple has released emergency patches for all affected devices on <a href="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you" data-original-url="https://www.itpro.com/mobile/30409/android-vs-ios-which-mobile-os-is-right-for-you">iOS</a> (15.4.1), iPadOS (15.4.1), and macOS (12.3.1). These include iPhone 6 models and newer, all <a href="https://www.itpro.com/hardware/tablets/361463/apple-ipad-pro-129in-2021-review-a-giant-leap-for-apple-silicon" data-original-url="https://www.itpro.com/hardware/tablets/361463/apple-ipad-pro-129in-2021-review-a-giant-leap-for-apple-silicon">iPad Pro</a> models, <a href="https://www.itpro.com/hardware/tablets/365082/apple-ipad-air-2020-review-the-executives-choice" data-original-url="https://www.itpro.com/hardware/tablets/365082/apple-ipad-air-2020-review-the-executives-choice">iPad Air</a> 2 and newer, iPad 5th generation and newer, iPad mini4 and newer, and iPod Touch 7th generation.</p><p>Importantly, the security patch for Macs seems to only be available on <a href="https://www.itpro.com/software/operating-systems/361421/macos-monterey-bricking-macs" data-original-url="https://www.itpro.com/software/operating-systems/361421/macos-monterey-bricking-macs">macOS Monterey</a>, which means devices will need to be updated to the latest version of the operating system.</p><p>Security fixes for Apple TV (tvOS 15.4.1) and Apple Watch (watchOS 8.5.1) were also released in new updates, but Apple has not yet supplied any information for these or assigned CVE tracking codes.</p><h2 id="a-year-full-of-zero-days">A year full of zero-days</h2><div class="youtube-video" data-nosnippet ><div class="video-aspect-box"><iframe data-lazy-priority="high" data-lazy-src="https://www.youtube-nocookie.com/embed/LuqAVA1jiPI" allowfullscreen></iframe></div></div><p>The latest round of emergency patches from Apple addresses the fourth and fifth <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a> affecting devices in the company’s device ecosystem this year.</p><p>An array of security issues, including two zero-days, were <a href="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution" data-original-url="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution">patched in January</a> that all involved code execution flaws, some with kernel privileges too, similar to CVE-2022-22675.</p><p>Around two weeks later, Apple was forced to <a href="https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit" data-original-url="https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit">issue another emergency patch</a> for a critical WebKit flaw. WebKit is the engine that powers the Safari browser and the code execution flaw also had evidence of previous active exploitation.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Patch finally released for Spring4Shell zero-day after vulnerable businesses put on high alert ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/367267/patch-released-for-spring4shell-zero-day-businesses-on-high-alert</link>
                                                                            <description>
                            <![CDATA[ With proof-of-concept code out in the wild, businesses are encouraged to assess their exposure to what's being dubbed 'Log4Shell 2.0' ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7izZL9HbscTdQTM6HuvXNC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZUHvccG7dhVxKAtQP5bmUX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 31 Mar 2022 12:15:03 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZUHvccG7dhVxKAtQP5bmUX-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cyber security represented by a digital screen with encryption data background]]></media:description>                                                            <media:text><![CDATA[Cyber security represented by a digital screen with encryption data background]]></media:text>
                                <media:title type="plain"><![CDATA[Cyber security represented by a digital screen with encryption data background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZUHvccG7dhVxKAtQP5bmUX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Spring has released an update to its core framework that is thought to bring with it a security fix for the Spring4Shell zero-day discovered this week.</p><p>The maintainer of the widely used open source Java framework announced the fix was available on Thursday afternoon after businesses scrambled to assess their exposure to the newly discovered zero-day, for which there were already publicly available proof-of-concept (PoC) exploits.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">What is the Log4Shell vulnerability?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/361907/ftc-threatens-legal-action-companies-failing-to-patch-log4shell" data-original-url="/security/cyber-security/361907/ftc-threatens-legal-action-companies-failing-to-patch-log4shell">FTC threatens legal action against companies failing to patch Log4Shell</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/botnets/367007/linux-botnet-spreads-using-log4shell-flaw" data-original-url="/security/botnets/367007/linux-botnet-spreads-using-log4shell-flaw">Linux botnet spreads using Log4Shell flaw</a></p></div></div><p>The latest version, dubbed 5.3.18, <a href="https://twitter.com/springframework/status/1509487095064190980">can be downloaded now</a> and early reports from experts suggest the security fix is working. Businesses are recommended to upgrade to the latest version to avoid falling victim to the remote code execution (RCE) flaw.</p><p>"[I] quickly tested Spring Framework's 5.3.18 release and it does stop the original PoC," said security researcher Jacob Baines. "Obviously, need to spend some time looking at their changes, but a good start."</p><p>A backported fix for Spring4Shell is also included in Spring's 5.2.20 version update which is also available now. The community is still waiting for a CVE tracking code.</p><h2 id="what-is-spring4shell">What is Spring4Shell?</h2><p>Businesses were left exposed this week to a zero-day security vulnerability branded ‘Spring4Shell’ while PoC exploits proliferated in the public domain.</p><p>Spring4Shell is a zero-day vulnerability found in the popular Spring Core Framework for Java applications, that could be exploited for remote code execution (RCE) attacks on affected machines.</p><p>The open source Spring Core Framework is one of the most popular Java Enterprise Edition frameworks and offers features to create high-performance <a href="https://www.itpro.com/software/development/360782/java-isnt-even-slightly-dead-and-heres-why" data-original-url="https://www.itpro.com/software/development/360782/java-isnt-even-slightly-dead-and-heres-why">Java applications</a>. All Spring Core Framework versions running JDK 9 and newer are thought to be vulnerable.</p><p>The flaw has been compared to the <a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">Log4Shell vulnerability</a> affecting the log4j2 Java logging utility, but the two are unrelated. Spring4Shell can also only be exploited if a number of prerequisites are met, <a href="https://twitter.com/wdormann/status/1509280535071309827">according to security researcher Will Dormann</a>, unlike Log4Shell which affected all versions of log4j2.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="qXHBAToERJPV4gXMJHimvG" name="qXHBAToERJPV4gXMJHimvG.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/qXHBAToERJPV4gXMJHimvG.png" mos="https://cdn.mos.cms.futurecdn.net/qXHBAToERJPV4gXMJHimvG.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Deploying flexible data protection to support cloud workload placement</strong></p><p class="fancy-box__body-text">Why data availability and cyber recovery are foundational to successful digital transformation</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/digital-transformation/366424/deploying-flexible-data-protection-to-support-cloud" data-original-url="/business-strategy/digital-transformation/366424/deploying-flexible-data-protection-to-support-cloud">FREE DOWNLOAD</a></p></div></div><p>All vulnerable versions of the Spring Core Framework also use Spring Beans, he said - a complex component of the framework that involves a project’s supporting objects, Spring Parameter Binding, and Spring Parameter Binding must also be configured using a non-basic parameter type such as POJOs.</p><p>Cyber security company Tenable <a href="https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability">said</a> it’s unclear how common these prerequisites are in real-world applications, but they are necessary for exploitation and there is evidence of PoCs already.</p><p>“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,” said Praetorian, one of the first security companies to confirm the vulnerability, in a <a href="https://www.praetorian.com/blog/spring-core-jdk9-rce">blog post</a>. “However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.</p><p>“This vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system.”</p><p>Praetorian also said the vulnerability is effective since it bypasses a previous patch made nearly 12 years ago for <a href="http://blog.o0o.nu/2010/06/cve-2010-1622.html">CVE-2010-1622</a>, a separate code injection vulnerability in the Spring Core Framework.</p><p>Some members of the security community have been confusing two separate Spring vulnerabilities. This week's Spring4Shell and <a href="https://www.tenable.com/cve/CVE-2022-22963">CVE-2022-22963</a> are entirely separate, the latter being a flaw in the Spring Cloud Function, which was patched on 29 March, one day before Sring4Shell was identified, Tenable said.</p><p>“With some early reports surfacing that Spring4Shell is significantly different from log4j, we’ll know more as an industry soon enough on its severity and risk level,” said Sam Curry, CSO at Cybereason to <em>IT Pro</em>.</p><p>“More <a href="https://www.itpro.com/hardware/30317/what-is-an-embedded-system" data-original-url="https://www.itpro.com/hardware/30317/what-is-an-embedded-system">embedded system</a> weaknesses are lurking out there. Sadly, we live in an age where adversaries have the skills to quickly exploit these vulnerabilities. Now the call is out for defenders to adapt, innovate faster and thrive. Spring4Shell is another wake up call, but there will be more vulnerabilities coming next month and beyond.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google patches second Chrome browser zero-day of 2022 ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/367226/google-urgent-patch-chrome-zero-day</link>
                                                                            <description>
                            <![CDATA[ Google acted quickly to secure against the type confusion vulnerability that was under active exploitation ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ue8tbct9SDYiR2cn5ZN43k</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/QCRhwsVhmvbdnfreEQHQfM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 28 Mar 2022 09:24:22 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Workspace]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                    <category><![CDATA[Google]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/QCRhwsVhmvbdnfreEQHQfM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Google Chrome logo on a Chromebook]]></media:description>                                                            <media:text><![CDATA[Google Chrome logo on a Chromebook]]></media:text>
                                <media:title type="plain"><![CDATA[Google Chrome logo on a Chromebook]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/QCRhwsVhmvbdnfreEQHQfM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google has now patched the second actively exploited zero-day vulnerability in its Chrome browser this year.</p><p>Most of the details about the security vulnerability were left unpublished by Google, but the company confirmed it was a type confusion flaw, tracked as CVE-2022-1096, found in the V8 Javascript engine.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/362243/google-chrome-zero-day-under-active-exploitation" data-original-url="/security/vulnerability/362243/google-chrome-zero-day-under-active-exploitation">Google Chrome update fixes zero-day under active exploitation</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution" data-original-url="/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution">Apple fixes array of iOS, macOS zero-days and code execution security flaws</a></p></div></div><p>Type confusion issues occur when a product’s code is fed objects that aren’t verified, and using these objects without type-checking can create type confusion. In some cases, code execution can be achieved when wrong function pointers or data are fed into certain parts of a codebase.</p><p>“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google Chrome in a <a href="https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html">blog post</a>. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”</p><p>The Google Chrome Stable Channel has been updated to version 99.0.4844.84 across Windows, Mac, and Linux, and users should start to see their browsers update “over the coming days/weeks,” Google said.</p><p>The vulnerability was reported on 23 March which prompted a swift response from Google Chrome which released a patch two days later on 25 March.</p><p>Being based on the <a href="https://www.itpro.com/chromium/32681/what-is-chromium" data-original-url="https://www.itpro.com/chromium/32681/what-is-chromium">Chromium engine</a>, Microsoft released a separate notice informing Edge browser users that it was also vulnerable to the zero-day exploit. Microsoft <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096">rolled out</a> a patch on 26 March for its browser.</p><div class="youtube-video" data-nosnippet ><div class="video-aspect-box"><iframe data-lazy-priority="low" data-lazy-src="https://www.youtube-nocookie.com/embed/zC2DWK79lhs" allowfullscreen></iframe></div></div><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="gSCksczWaVZioTtDeALM4D" name="gSCksczWaVZioTtDeALM4D.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/gSCksczWaVZioTtDeALM4D.png" mos="https://cdn.mos.cms.futurecdn.net/gSCksczWaVZioTtDeALM4D.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Introducing the zero trust edge model for security and network services</strong></p><p class="fancy-box__body-text">Get a better understanding of emerging zero trust solutions</p><p class="fancy-box__body-text">FREE DOWNLOAD</p></div></div><p>The latest <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patch</a> fixes the second <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerability</a> found in the Chrome browser in nearly as many months. Google released a wave of patches <a href="https://www.itpro.com/security/vulnerability/362243/google-chrome-zero-day-under-active-exploitation" data-original-url="https://www.itpro.com/security/vulnerability/362243/google-chrome-zero-day-under-active-exploitation">earlier in February</a> addressing seven high-severity security issues among which was the first zero-day of the year. </p><p>Tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, the initial zero-day was also under active exploitation at the time of discovery and was a UAF in animation flaw - such vulnerabilities can typically lead to code execution on victim machines.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google exposes 'uniquely personal' access broker behind worst Conti, FIN12 ransomware attacks ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/ransomware/367089/google-exposes-access-broker-behind-worst-conti-fin12-attacks</link>
                                                                            <description>
                            <![CDATA[ Investigation unveils the inner workings of one access broker that helped two of the most-hated ransomware gangs in history ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">2KWmecGSAhqXgqC1p3mmYe</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/CrPVrKfi3P9ktgSQWRCidE-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Fri, 18 Mar 2022 11:58:58 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/CrPVrKfi3P9ktgSQWRCidE-1280-80.png">
                                                            <media:credit><![CDATA[Google]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The outline of a skull displayed in computer code to represent malware]]></media:description>                                                            <media:text><![CDATA[The outline of a skull displayed in computer code to represent malware]]></media:text>
                                <media:title type="plain"><![CDATA[The outline of a skull displayed in computer code to represent malware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/CrPVrKfi3P9ktgSQWRCidE-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google’s cyber security research division has unearthed details of initial access brokers (IABs) working on behalf of some of the biggest ransomware gangs in existence.</p><p>IABs are groups of cyber criminals that exploit vulnerabilities in organisations and sell that access to the highest bidder so they can launch meaningful cyber attacks without conducting the initial leg work.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/362262/dark-web-criminals-are-becoming-increasingly-successful-at-selling" data-original-url="/security/cyber-security/362262/dark-web-criminals-are-becoming-increasingly-successful-at-selling">Remote access to businesses sold for huge profit in growing dark web operation</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/363893/conti-ransomware-data-leaked-ukranian-researcher" data-original-url="/security/ransomware/363893/conti-ransomware-data-leaked-ukranian-researcher">Conti ransomware gang data leaked by Ukrainian cyber researcher</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a></p></div></div><p>The Threat Analysis Group (TAG) observed the EXOTIC LILY IAB operating from at least as far back as September 2021 and has provided access to companies for the likes of Conti and FIN12 so they can launch profitable <a href="https://www.itpro.com/security/28084/what-is-ransomware" data-original-url="https://www.itpro.com/security/28084/what-is-ransomware">ransomware</a> attacks.</p><p>These types of IAB groups have been operating for some time but have gained popularity in recent years and are approaching the peak of their operational maturity, according to <a href="https://www.itpro.com/security/cyber-security/362262/dark-web-criminals-are-becoming-increasingly-successful-at-selling" data-original-url="https://www.itpro.com/security/cyber-security/362262/dark-web-criminals-are-becoming-increasingly-successful-at-selling">recent reports</a>.</p><p><a href="https://www.itpro.com/security/ransomware/361160/mandiant-releases-details-on-maverick-fast-attack-ransomware-group-fin12" data-original-url="https://www.itpro.com/security/ransomware/361160/mandiant-releases-details-on-maverick-fast-attack-ransomware-group-fin12">FIN12</a> and the <a href="https://www.itpro.com/security/ransomware/363893/conti-ransomware-data-leaked-ukranian-researcher" data-original-url="https://www.itpro.com/security/ransomware/363893/conti-ransomware-data-leaked-ukranian-researcher">now-shuttered Conti</a> are among the most infamous ransomware operators of recent times. They have both indiscriminately targeted organisations for financial gain and, unlike other groups, display few ethical boundaries, both having targeted hospitals and healthcare organisations in the past.</p><p>The well-resourced EXOTIC LILY group, at the peak of its activity, is said to have targeted upwards of 5,000 emails a day across 650 global organisations, attempting to exploit a Microsoft zero-day vulnerability (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444">CVE-2021-40444</a>) to achieve initial access.</p><h2 id="uniquely-personal-approach">Uniquely personal approach</h2><p>Google’s TAG <a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti">said</a> EXOTIC LILY displayed targeted attack techniques such as spoofing companies and employees as a means to gaining trust through email campaigns but “rather uniquely” devoted a considerable amount of time to each target in an attempt to build trust.</p><p>Like the large-scale ransomware gangs it works for, EXOTIC LILY is comprised of many individuals so they can devote time to each target. TAG said the “level of human-interaction is rather unusual for cyber crime groups focused on mass-scale operations”.</p><p>TAG said EXOTIC LILY would customise business proposal templates when first contacting organisations rather than relying on just one, a technique requiring more effort than typically observed with such groups.</p><p>The IAB also handled additional communications with the victims in order to build trust sending a link to a malicious payload using legitimate file-sharing services.</p><p>The likes of WeTransfer, TransferNow, and OneDrive were used to deliver the payload that exploited the Microsoft zero-day, which was another technique the attackers used to evade detection mechanisms, TAG said.</p><p>EXOTIC LILY’s attack chain remained consistent throughout TAG’s analysis and can be broken down into just a few steps:</p><ol><li>Register [legitimate company name].us to imitate [legitimate company name].com</li><li>Create “employee@[legitimate company name].us” email address</li><li>Use OSINT or a website contact form to acquire target’s email address, send a phishing email</li><li>Establish trust with further discussion or by scheduling a meeting</li><li>Share payload with target</li><li>Send a file-sharing notification</li></ol><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="BgV4CUrneuHJ3kLdKTvHeb" name="" alt="Model of the IAB's method of attack" src="https://cdn.mos.cms.futurecdn.net/BgV4CUrneuHJ3kLdKTvHeb.jpg" mos="https://cdn.mos.cms.futurecdn.net/BgV4CUrneuHJ3kLdKTvHeb.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Google)</span></figcaption></figure><p>The group first used fake online profiles with AI-generated faces to impersonate employees at a spoofed company, but later resorted to stealing genuine employees’ data and harvesting more from databases like CrunchBase and RocketReach.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="mG92862tEkcmYjwLpumZzk" name="mG92862tEkcmYjwLpumZzk.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/mG92862tEkcmYjwLpumZzk.jpg" mos="https://cdn.mos.cms.futurecdn.net/mG92862tEkcmYjwLpumZzk.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>How a platform approach to security monitoring initiatives adds value</strong></p><p class="fancy-box__body-text">Integration, orchestration, analytics, automation, and the need for speed</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/367042/how-a-platform-approach-to-security-monitoring-initiatives-adds-value" data-original-url="/security/367042/how-a-platform-approach-to-security-monitoring-initiatives-adds-value">FREE DOWNLOAD</a></p></div></div><p>The use of a legitimate file-sharing service became a powerful method of avoiding detection, as not only are they familiar companies, but the target also receives a genuine file-sharing notification from that provider to increase the perceived authenticity.</p><p>EXOTIC LILY first used documents containing an exploit for a Microsoft <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a> but later changed strategy to delivering ISO files with hidden <a href="https://www.itpro.com/security/phishing/361534/bazarloader-malware-abuses-windows-10-app-installed-in-call-me-back-attack" data-original-url="https://www.itpro.com/security/phishing/361534/bazarloader-malware-abuses-windows-10-app-installed-in-call-me-back-attack">BazarLoader</a> DLLs – a fileless attack method also common with ransomware groups.</p><p>Microsoft shortcut files, known as LNK shortcuts, were also delivered in these ISO files, with samples indicating they were custom-made by EXOTIC LILY rather than off-the-shelf exploit kits, TAG said.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google doubles bug bounty rewards for Linux, Kubernetes exploits ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/362258/google-doubles-bug-bounty-linux-kubernetes-exploits</link>
                                                                            <description>
                            <![CDATA[ The increased rewards are said to align better with the community's expectations of a bug bounty programme of this kind ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">eLFqyZs2JHmnrop3oU2cS7</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/sAqLobsdzrPCJjwoWDsoqM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 16 Feb 2022 10:51:28 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/sAqLobsdzrPCJjwoWDsoqM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Mockup of a stethoscope treating a keyboard, symbolising a computer bug patch]]></media:description>                                                            <media:text><![CDATA[Mockup of a stethoscope treating a keyboard, symbolising a computer bug patch]]></media:text>
                                <media:title type="plain"><![CDATA[Mockup of a stethoscope treating a keyboard, symbolising a computer bug patch]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/sAqLobsdzrPCJjwoWDsoqM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms. </p><p>The reward increases will be applied to exploits discovered in the Linux Kernel, <a href="https://www.itpro.com/enterprise-applications/31654/what-is-kubernetes" data-original-url="https://www.itpro.com/enterprise-applications/31654/what-is-kubernetes">Kubernetes</a>, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="/security/27713/the-importance-and-benefits-of-effective-patch-management">Patch management vs vulnerability management</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/ethical-hacking/360394/google-launches-new-bug-bounty-platform" data-original-url="/security/ethical-hacking/360394/google-launches-new-bug-bounty-platform">Google launches new bug bounty platform</a></p></div></div><p>Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as 'n-days', one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.</p><p>Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patch</a> in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.</p><p>"There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses)," said Eduardo Vela, Product Security Response TL/M at Google. "While we don't expect every upgrade to have a valid 1day submission, we would love to learn otherwise."</p><p>Valid exploits for previously unknown <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a> will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.</p><p>"We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag," said Vela. "We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022)."</p><iframe allow="encrypted-media" frameborder="0" height="" width="100%" data-lazy-priority="low" data-lazy-src="https://open.spotify.com/embed-podcast/episode/1ojGcpJHLKOEausXT9cuVa"></iframe><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="f35o2EnwwnfZvkHHe5RZSd" name="f35o2EnwwnfZvkHHe5RZSd.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/f35o2EnwwnfZvkHHe5RZSd.png" mos="https://cdn.mos.cms.futurecdn.net/f35o2EnwwnfZvkHHe5RZSd.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Vulnerability and patch management</strong></p><p class="fancy-box__body-text">Keep known vulnerabilities out of your IT infrastructure</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/362135/vulnerability-and-patch-management" data-original-url="/security/vulnerability/362135/vulnerability-and-patch-management">FREE DOWNLOAD</a></p></div></div><p>An increasing amount of recent research has highlighted cyber criminals' shift in focus towards Linux environments, both in and outside of the cloud. </p><p>Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while "<a href="https://www.itpro.com/software/linux/362069/pwnkit-12-year-old-linux-root-privilege-flaw-hiding-plain-sight" data-original-url="https://www.itpro.com/software/linux/362069/pwnkit-12-year-old-linux-root-privilege-flaw-hiding-plain-sight">hiding in plain sight</a>", while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments <a href="https://www.itpro.com/software/linux/362197/linux-multi-cloud-ransomware-on-the-rise" data-original-url="https://www.itpro.com/software/linux/362197/linux-multi-cloud-ransomware-on-the-rise">last week</a>.</p><p>Full details on the reporting process can be found in the <a href="http://security.googleblog.com/2022/02/roses-are-red-violets-are-blue-giving.html">Google blog post</a>.</p><h3 class="article-body__section" id="section-reward-structure"><span>Reward structure</span></h3><p>Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.</p><p>From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed. </p><ul><li>$20,000 will be awarded if the exploit is a zero-day</li><li>A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces</li><li>Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission</li></ul>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple users told to update their devices to fix critical WebKit flaw ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/vulnerability/362225/apple-releases-major-security-update-iphones-ipads-macs-webkit</link>
                                                                            <description>
                            <![CDATA[ The security flaw allowed code execution on a range of devices and represents the third major vulnerability to be patched by Apple this year ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">4Ak9xiNbuQXMJo8ZaQrdpB</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/canQor7gjMhmdjPVgaSdr7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 11 Feb 2022 12:56:55 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/canQor7gjMhmdjPVgaSdr7-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[iPhone 11 Pro held in someone&amp;#039;s hand]]></media:description>                                                            <media:text><![CDATA[iPhone 11 Pro held in someone&amp;#039;s hand]]></media:text>
                                <media:title type="plain"><![CDATA[iPhone 11 Pro held in someone&amp;#039;s hand]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/canQor7gjMhmdjPVgaSdr7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has patched a serious security flaw in WebKit affecting iOS, iPadOS, and macOS that allowed arbitrary code execution on a range of Apple devices, with evidence indicating that the issue has been actively exploited.</p><p>Experts have advised all Apple users to update their iPhones and iPads to the latest version (15.3.1) to prevent potential attacks caused by accessing maliciously crafted web content. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution" data-original-url="/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution">Apple fixes array of iOS, macOS zero-days and code execution security flaws</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">Apple patches zero-day flaw abused by infamous NSO exploit</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a></p></div></div><p>The flaw affects iPhones as old as the iPhone 6s, all <a href="https://www.itpro.com/hardware/tablets/361463/apple-ipad-pro-129in-2021-review-a-giant-leap-for-apple-silicon" data-original-url="https://www.itpro.com/hardware/tablets/361463/apple-ipad-pro-129in-2021-review-a-giant-leap-for-apple-silicon">iPad Pro</a> models, <a href="https://www.itpro.com/tablets/24675/apple-ipad-air-2-review-3" data-original-url="https://www.itpro.com/tablets/24675/apple-ipad-air-2-review-3">iPad Air 2</a> and later, iPad 5th generation and later, <a href="https://www.itpro.com/mobile/33448/apple-ipad-mini-5-2019-review-if-it-ain-t-broke" data-original-url="https://www.itpro.com/mobile/33448/apple-ipad-mini-5-2019-review-if-it-ain-t-broke">iPad Mini</a> 4th generation and later, and iPod Touch 7th generation.</p><p>The same WebKit issue also affects Safari, which prompted Apple to release security updates for its Mac-based browser, available on macOS Big Sur and <a href="https://www.itpro.com/hardware/33774/macos-catalina-release-date-features-news-and-more-mac-and-ipad-become-one" data-original-url="https://www.itpro.com/hardware/33774/macos-catalina-release-date-features-news-and-more-mac-and-ipad-become-one">macOS Catalina</a>. Macs running the latest <a href="https://www.itpro.com/software/operating-systems/361421/macos-monterey-bricking-macs" data-original-url="https://www.itpro.com/software/operating-systems/361421/macos-monterey-bricking-macs">macOS Monterey</a> have been issued a patch for the operating system itself, version 12.2.1.</p><p>The security vulnerability is tracked as CVE-2022-22620 and was disclosed to Apple by an anonymous researcher. In typical fashion, Apple has offered very few details about the vulnerability but said the issue is related to the use after free class, which means it is related to incorrect use of dynamic memory in applications, Kaspersky said in its <a href="https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650">analysis</a>.</p><p>WebKit is a browser engine developed by Apple and mainly used in its Safari browser but also many other applications on Apple's operating systems. It's also present on Linux, as well as Google Chrome and Mozilla Firefox for iPhone.</p><p>Owners of affected Apple devices should check for a software update in their device's settings menu, providing they haven't already received a push notification that an update is ready.</p><p>The patches mark the third major security update this year for Apple after <a href="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution" data-original-url="https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution">January's array of security issues</a>, including two <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a>, were found to affect iPhones, iPads, and Macs.</p><p>The vulnerabilities included serious issues which could have led attackers to execute arbitrary code with kernel privileges with some of them also believed to be actively exploited in the wild.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="f35o2EnwwnfZvkHHe5RZSd" name="f35o2EnwwnfZvkHHe5RZSd.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/f35o2EnwwnfZvkHHe5RZSd.png" mos="https://cdn.mos.cms.futurecdn.net/f35o2EnwwnfZvkHHe5RZSd.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Vulnerability and patch management</strong></p><p class="fancy-box__body-text">Keep known vulnerabilities out of your IT infrastructure</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/362135/vulnerability-and-patch-management" data-original-url="/security/vulnerability/362135/vulnerability-and-patch-management">FREE DOWNLOAD</a></p></div></div><p>Earlier in January, <a href="https://www.itpro.com/network-internet/web-browser/361995/safari-bug-lets-websites-track-browsing-activity-and-unique" data-original-url="https://www.itpro.com/network-internet/web-browser/361995/safari-bug-lets-websites-track-browsing-activity-and-unique">a separate flaw in WebKit was also found</a> that let websites track user's browsing activity and unique identifiers. Described at the time as a 'privacy violation', the bug was particularly troublesome for Apple given its stance on web tracking.</p><p>The company released an anti-tracking <a href="https://www.itpro.com/security/privacy/362151/meta-says-apples-ios-privacy-changes-will-cost-it-10-billion-in-2022" data-original-url="https://www.itpro.com/security/privacy/362151/meta-says-apples-ios-privacy-changes-will-cost-it-10-billion-in-2022">App Tracking Transparency feature in 2021</a> which allowed users to opt-in to a device setting that required installed apps to explicitly ask for their ability to collect data allowing them to track users across other apps and websites. A boon to end-user privacy, <a href="https://www.itpro.com/security/privacy/362151/meta-says-apples-ios-privacy-changes-will-cost-it-10-billion-in-2022" data-original-url="https://www.itpro.com/security/privacy/362151/meta-says-apples-ios-privacy-changes-will-cost-it-10-billion-in-2022">Meta recently said</a> the feature will cost its business $10 billion.</p><p>It follows what was a tricky 2021 in terms of security for Apple. Throughout the course of last year, the company <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patched</a> numerous zero-day vulnerabilities as well as other security flaws affecting devices in its ecosystem. Most notable among the patches was a fix for the <a href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">ForcedEntry exploit</a> used by <a href="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus" data-original-url="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus">NSO Group's Pegasus spyware</a> to gain a foothold in iPhones.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft's Patch Tuesday fixes 70 vulnerabilities after a troublesome January update ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/362194/microsoft-patch-tuesday-february-2022-70-fixes</link>
                                                                            <description>
                            <![CDATA[ Microsoft will be hoping for a bug-free round of patches after admins complained of January's updates breaking more components than they fixed ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ok6XBdMP8qWrGpfrdvj619</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/uHJRcqyMAmPxgd93AKxTN6-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 09 Feb 2022 11:21:27 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/uHJRcqyMAmPxgd93AKxTN6-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of Microsoft logo on a smartphone in front of a white backdrop with many identical Microsoft logos sprawled across]]></media:description>                                                            <media:text><![CDATA[Image of Microsoft logo on a smartphone in front of a white backdrop with many identical Microsoft logos sprawled across]]></media:text>
                                <media:title type="plain"><![CDATA[Image of Microsoft logo on a smartphone in front of a white backdrop with many identical Microsoft logos sprawled across]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/uHJRcqyMAmPxgd93AKxTN6-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft's latest round of security updates for Windows, often referred to as 'Patch Tuesday', have been released addressing a total of 70 vulnerabilities across Microsoft and Windows products.</p><p>The latest round of <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patches</a> include fixes for 17 privilege escalation flaws, 16 remote code execution (RCE) issues, 22 Chromium-based Edge browser flaws, and three security feature bypasses, among others.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches" data-original-url="/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches">Windows Server admins agree to forgo broken patches</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them" data-original-url="/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them">17 common Windows 10 problems and how to fix them</a></p></div></div><p>None of the vulnerabilities are rated critical - categorised by a CVSSv3.1 score of 8.9 or higher - though there are a significant number that have a score of 8.8, just shy of critical status and categorised as 'important'.</p><p>There is also no known active exploitation of any of the 70 vulnerabilities fixed by Microsoft at the time of writing, though proof of concept (PoC) code does exist for a small number of them, meaning businesses should apply patches regardless of the level of exploitation currently.</p><p>"It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch," said Dustin Childs at the Zero-Day Initiative. </p><p>"It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured."</p><p>Among the most severe of the 70 bugs addressed in this week's update are issues related to Microsoft SharePoint, an assortment of <a href="https://www.itpro.com/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them" data-original-url="https://www.itpro.com/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them">Windows 10</a> and <a href="https://www.itpro.com/server-storage/microsoft-windows-server/361918/patch-issued-for-windows-server-sign-in-bug" data-original-url="https://www.itpro.com/server-storage/microsoft-windows-server/361918/patch-issued-for-windows-server-sign-in-bug">Windows Server</a> versions, Azure Data Explorer, and <a href="https://www.itpro.com/development/programming/359439/the-top-five-essential-vscode-extensions-for-your-2021-setup" data-original-url="https://www.itpro.com/development/programming/359439/the-top-five-essential-vscode-extensions-for-your-2021-setup">Visual Studio code</a>. </p><h2 id="patch-tuesday-highlights">Patch Tuesday highlights</h2><p><strong>Windows DNS Server RCE Vulnerability - <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21984">CVE-2022-21984</a></strong></p><p>Given a score of 8.8/10, this RCE flaw is among the most severe in this week's patch list and is considered by Microsoft to be a low complexity attack, require low levels of privileges in order to execute, and could result in "a total loss of availability". If exploited, the attacker could fully deny access to resources in the impacted component.</p><p>Qualys <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/microsoft-adobe-17-vulnerabilities-with-5-critical">said</a>: "the server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might entirely take control of your DNS and execute code with elevated privileges if you have this set up in your environment."</p><p><strong>Windows Kernel Elevation of Privilege Vulnerability - <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21989">CVE-2022-21989</a></strong></p><p>Although on the lower-end of the severity scores with a CVSSv3.1 rating of 7.8/10, this privilege escalation flaw has PoC available which led Microsoft to describe this particular vulnerability as more likely to be exploited. </p><p>It also noted this is a high complexity attack and likely only able to be carried by a sophisticated threat actor given that exploitation success is dependent on conditions beyond the attacker's control. </p><p>"A successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected," said Microsoft.</p><p>Given the local attack vector, a hacker would either need physical access to the target machine via its own connected keyboard and mouse. Alternatively, a remote attack could feasibly work via SSH remote access or tricking a user into opening a malicious document. </p><p><strong>Microsoft SharePoint Server RCE Vulnerability - <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22005">CVE-2022-22005</a></strong></p><p>Another of the "more likely" vulnerabilities patched in this update is an 8.8/10-rated RCE flaw affecting Microsoft SharePoint Server. A low complexity attack requiring low levels of privileges, Microsoft said "an attacker can expect repeatable success against the vulnerable component" due to the absent specialised access conditions or extenuating circumstances required to achieve exploitation.</p><p>Windows administrators can access the updates via Microsoft Update Catalogue.</p><h2 id="patch-tuesday-problems">Patch Tuesday problems</h2><p>January's Patch Tuesday caused <a href="https://www.itpro.com/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches" data-original-url="https://www.itpro.com/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches">somewhat of an uproar among Windows administrators</a> last month which led many to forgo the myriad security patches released by Microsoft, including a number of <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a>. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="f35o2EnwwnfZvkHHe5RZSd" name="f35o2EnwwnfZvkHHe5RZSd.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/f35o2EnwwnfZvkHHe5RZSd.png" mos="https://cdn.mos.cms.futurecdn.net/f35o2EnwwnfZvkHHe5RZSd.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Vulnerability and patch management</strong></p><p class="fancy-box__body-text">Keep known vulnerabilities out of your IT infrastructure</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/362135/vulnerability-and-patch-management" data-original-url="/security/vulnerability/362135/vulnerability-and-patch-management">FREE DOWNLOAD</a></p></div></div><p>Online discussions revealed many admins were complaining that updates were breaking core components of their business environments and some uninstalled the updates entirely to resume normal order. </p><p>Experts at the time commented that security patches are almost always recommended to be applied as soon as they become available, but it "is very much a question of risk management and risk assessment," according to Andy Norton, European cyber risk officer at Armis.</p><p>It's not generally advised to ignore security updates, but if they are causing more disruption than they potentially may fix, then businesses may feel it would be better to wait a month for a more stable version to be released.</p><iframe frameborder="0" height="200px" width="100%" data-lazy-priority="low" data-lazy-src="https://widget.spreaker.com/player?episode_id=44556716&theme=light&playlist=false&playlist-continuous=false&autoplay=false&live-autoplay=false&chapters-image=true&episode_image_position=right&hide-logo=false&hide-likes=true&hide-comments=true&hide-sharing=true&hide-download=true&color=ffe019"></iframe><p>"January’s patch release may have left some IT teams feeling somewhat sour as Microsoft had to re-issue updates to fix some unexpected issues caused by the updates," said Kev Breen, director of cyber threat research at Immersive Labs to <em>IT Pro</em> in relation to today's patches. </p><p>"This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple fixes array of iOS, macOS zero-days and code execution security flaws ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/362074/apple-fixes-array-of-ios-macos-zero-days-and-code-execution</link>
                                                                            <description>
                            <![CDATA[ The first wave of security updates for Apple products in 2022 follows a year in which a wide variety of security flaws plagued its portfolio of devices ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">sopmnKNn2iic91jKWusdM8</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/kdWQYRnebCeRMuWc86udma-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 27 Jan 2022 12:06:44 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/kdWQYRnebCeRMuWc86udma-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Apple logo on the side of a building]]></media:description>                                                            <media:text><![CDATA[Apple logo on the side of a building]]></media:text>
                                <media:title type="plain"><![CDATA[Apple logo on the side of a building]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/kdWQYRnebCeRMuWc86udma-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Apple has patched an array of security issues affecting iOS, iPadOS, and macOS devices, including two <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day vulnerabilities</a>.</p><p>Among the other myriad fixes for <a href="https://support.apple.com/en-us/HT213053">iOS and iPadOS 15.3</a>, and <a href="https://support.apple.com/en-us/HT213054">macOS Monterrey 12.2</a> released on Wednesday were code execution flaws and some that allowed arbitrary code to run on affected devices with kernel privileges.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business/business-strategy/361588/apple-self-repair-programme-iphones-macs" data-original-url="/business/business-strategy/361588/apple-self-repair-programme-iphones-macs">Apple launches self-repair scheme for iPhones and Macs</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business-operations/business-management/361508/apple-unveils-business-essentials-for-smbs" data-original-url="/business-operations/business-management/361508/apple-unveils-business-essentials-for-smbs">Apple unveils Business Essentials suite for small businesses</a></p></div></div><p>The first of the two critical flaws, tracked as CVE-2022-22587, involves an issue with the IOMobileFrameBuffer, a kernel extension responsible for managing a device's framebuffer - a portion of RAM that drives the video display. It's believed to have affected the iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, and other devices in the ecosystem too.</p><p>Apple said a malicious application could exploit a flaw in this extension to execute arbitrary code with kernel privileges. Apple also said it previously knew about the security issue and that it believes it may have already been actively exploited in the wild. It was a memory corruption issue Apple fixed with improved input validation.</p><p>The bug was discovered by Meysam Firouzi of MBition - Mercedes-Benz Innovation Lab, and independent researcher Siddharth Aeri. A third, anonymous researchers was also thought to be involved.</p><p>Aeri <a href="https://github.com/b1n4r1b01/n-days/commit/9d88ad30f4b1b674e951791809642d52383b1fb0">published a proof-of-concept</a> (PoC) for the security issue on 31 December 2021 and <a href="https://twitter.com/b1n4r1b01/status/1476949442389417984">noted</a> on their Twitter page that the bug was demonstrated by Pangu Team at Tianfucup 2021, a hacking competition similar to <a href="https://www.itpro.com/security/hacking/361455/experts-break-into-samsung-galaxy-s21-twice-at-pwn2own-hacking-event" data-original-url="https://www.itpro.com/security/hacking/361455/experts-break-into-samsung-galaxy-s21-twice-at-pwn2own-hacking-event">Zero Day Initiative's Pwn2Own</a>.</p><p>The second zero-day flaw was found in Apple's WebKit browser engine and affects Safari 15 on macOS, and all browsers on iOS and iPadOS 15, <a href="https://www.itpro.com/network-internet/web-browser/361995/safari-bug-lets-websites-track-browsing-activity-and-unique" data-original-url="https://www.itpro.com/network-internet/web-browser/361995/safari-bug-lets-websites-track-browsing-activity-and-unique">as <em>IT Pro</em> previously reported</a>.</p><p>Martin Bajanik of FingerprintJS first discovered the bug on 28 November 2021 and made it publicly available on 14 January, before Apple assigned it CVE-2022-22594 and patched it in Wednesday's slew of updates.</p><p>Exploiting the bug would see websites able to track sensitive user information and stemmed from a cross-origin issue in the IndexDB API. Apple fixed it using the same method as the first zero-day, by improving the input validation.</p><p>When he made the public disclosure earlier this month, Bajanik labelled the flaw a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," said Bajanik who authored FingerprintJS' <a href="https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15">analysis</a> of the bug. "This is possible because database names are typically unique and website-specific."</p><p>A total of five arbitrary code execution issues were found to affect iOS 15.3 and iPadOS 15.3, and seven affected macOS Monterrey 12.2. Four of the vulnerabilities in macOS also affected iPhones and iPads, meaning there was a single vulnerability exclusive to iOS 15.3 and iPadOS 15.3, three exclusive to macOS, and four shared across the operating systems of Apple's popular iPhones, iPads, and Mac computers.</p><h3 class="article-body__section" id="section-apple-39-s-zero-day-ridden-2021"><span>Apple's zero-day-ridden 2021</span></h3><p>The latest wave of patches marks Apple's first release of fixes this year and the company was forced to patch a score of zero-day and other critical vulnerabilities throughout 2021, including the <a href="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw" data-original-url="https://www.itpro.com/security/exploits/360870/apple-patches-nso-forcedentry-zero-day-flaw">infamous ForcedEntry exploit</a> used to enable <a href="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus" data-original-url="https://www.itpro.com/security/spyware/361971/el-salvador-becomes-latest-country-targeted-by-pegasus">NSO Group's Pegasus spyware</a>.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="oxZ77o4or4eWr8kndJnTjW" name="oxZ77o4or4eWr8kndJnTjW.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/oxZ77o4or4eWr8kndJnTjW.png" mos="https://cdn.mos.cms.futurecdn.net/oxZ77o4or4eWr8kndJnTjW.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Establishing a strong foundation for DataOps</strong></p><p class="fancy-box__body-text">How to gain a competitive advantage with your available data</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/data-insights/data-management/361920/establishing-a-strong-foundation-for-dataops" data-original-url="/data-insights/data-management/361920/establishing-a-strong-foundation-for-dataops">FREE DOWNLOAD</a></p></div></div><p>Arbitrary code execution zero-days in WebKit were also found <a href="https://www.itpro.com/security/zero-day-exploit/359407/apple-patches-ios-macos-webkit-flaws" data-original-url="https://www.itpro.com/security/zero-day-exploit/359407/apple-patches-ios-macos-webkit-flaws">in May 2021</a> affecting Safari, all third-party iOS browsers, Apple Mail, and the App Store too. An additional emergency patch was also released a month later to fix <a href="https://www.itpro.com/security/zero-day-exploit/359876/apple-patches-ios-12-after-hackers-exploit-webkit-engine-flaws" data-original-url="https://www.itpro.com/security/zero-day-exploit/359876/apple-patches-ios-12-after-hackers-exploit-webkit-engine-flaws">more WebKit flaws in iOS 12</a> which could lead to remote code execution attacks.</p><p>May 2021 was a particularly troubled period for the company, the products from which were once said to not even need antivirus protection. Another significant number of vulnerabilities were fixed at the end of May across iOS, macOS, tvOS, watchOS and Safari, including a macOS Big Sur zero-day vulnerability <a href="https://www.itpro.com/security/malware/359655/apple-fixes-three-macos-flaws-under-attack" data-original-url="https://www.itpro.com/security/malware/359655/apple-fixes-three-macos-flaws-under-attack">under active attack at the time</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/361956/microsoft-january-patch-tuesday-critical-rce-flaws</link>
                                                                            <description>
                            <![CDATA[ Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kk7sSkTNNHmByFzE68nY72</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/xQfg5Vc7YXULHE5hc4CvHi-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 12 Jan 2022 10:53:55 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Microsoft Office]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                    <category><![CDATA[Microsoft]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/xQfg5Vc7YXULHE5hc4CvHi-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Win 11 on a smartphone in front of code on a monitor]]></media:description>                                                            <media:text><![CDATA[Win 11 on a smartphone in front of code on a monitor]]></media:text>
                                <media:title type="plain"><![CDATA[Win 11 on a smartphone in front of code on a monitor]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/xQfg5Vc7YXULHE5hc4CvHi-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has fixed a total of 98 security vulnerabilities as part of its January 2022 Patch Tuesday update released this week, including 29 remote code execution (RCE) flaws and six zero-days.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021" data-original-url="/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021">The scariest security horror stories of 2021</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="/security/27713/the-importance-and-benefits-of-effective-patch-management">Patch management vs vulnerability management</a></p></div></div><p>Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).</p><p>The flaw affecting Windows servers that are configured as a webserver, tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907">CVE-2022-21907</a>, allows unauthenticated cyber attackers to send specially crafted packets to targeted servers utilising the HTTP Protocol Stack. Microsoft also said the issue is <a href="https://www.itpro.com/network-internet/32608/what-was-the-morris-worm" data-original-url="https://www.itpro.com/network-internet/32608/what-was-the-morris-worm">wormable</a> and recommends <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patching</a> all affected servers as a priority task.</p><p>Another of the more serious flaws Microsoft patched this week was one found affecting internet key exchange (IKE), though Microsoft has been tight-lipped on the full details of the problem.</p><p>"CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds," said Danny Kim, principal architect at Virsec, to <em>IT Pro</em>. </p><p>"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts," he added. "Instead of trying to continuously patch and identify these vulnerabilities, enterprises should look for a real-time monitoring solution to safeguard applications and their functionalities from these types of attacks."</p><p>The RCE vulnerability, tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21849">CVE-2022-21849</a>, can be exploited with 'low complexity', according to Microsoft's patch notes, and allows unauthenticated attackers to trigger multiple vulnerabilities when the IPSec service is running on Windows.</p><p>Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846">CVE-2022-21846</a>, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="M2WpDQRjBJ3Hd2qkprKffM" name="M2WpDQRjBJ3Hd2qkprKffM.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/M2WpDQRjBJ3Hd2qkprKffM.jpg" mos="https://cdn.mos.cms.futurecdn.net/M2WpDQRjBJ3Hd2qkprKffM.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Busting the myths about SSO</strong></p><p class="fancy-box__body-text">Why SSO capability is critical to the success of IAM</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/single-sign-on-sso/361519/busting-the-myths-about-sso" data-original-url="/security/single-sign-on-sso/361519/busting-the-myths-about-sso">FREE DOWNLOAD</a></p></div></div><p>In order to achieve exploitation, cyber attackers would have to first gain a foothold onto a victim's environment, such as being on the same shared physical network, like <a href="https://www.itpro.com/security/359664/new-bluetooth-vulnerability-enables-hackers-to-mimic-genuine-devices" target="_blank" data-original-url="https://www.itpro.com/security/359664/new-bluetooth-vulnerability-enables-hackers-to-mimic-genuine-devices">Bluetooth</a> or IEEE 802.11. This type of flaw is common with man-in-the-middle setups, Microsoft said.</p><p>Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840">CVE-2022-21840</a>, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.</p><p>The flaw is thought to be slightly less likely to exploit given that some user interaction is required (opening the file), but Microsoft still categorised it as a 'low complexity' exploit, meaning cyber attackers can expect repeatable success against the vulnerable component.</p><p>Microsoft has issued updates for Windows machines, all of which are advised to be installed, but certain Mac users will have to wait for patches as they are not immediately available.</p><div class="youtube-video" data-nosnippet ><div class="video-aspect-box"><iframe data-lazy-priority="low" data-lazy-src="https://www.youtube-nocookie.com/embed/0JT8jBJUPrc" allowfullscreen></iframe></div></div><p>A full list of the now-patched security issues has been <a href="https://msrc.microsoft.com/update-guide/vulnerability">published by Microsoft</a> with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.</p><p>"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell – reportedly the worst vulnerability seen in decades," said Bharat Jogi, director, vulnerability and threat research at Qualys to <em>IT Pro</em>. "Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment. </p><p>"It is the need of the hour to automate deployment of patches for events with defined schedules, such as Microsfot's Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels."</p><h3 class="article-body__section" id="section-six-zero-day-vulnerabilities"><span>Six zero-day vulnerabilities</span></h3><p>In addition to the array of security vulnerabilities affecting Microsoft products, six <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-days</a> are also now patched, though no evidence suggests any of them were actively exploited.</p><ul><li><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919">CVE-2022-21919</a> - Windows User Profile Service Elevation of Privilege Vulnerability</li><li><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836">CVE-2022-21836</a> - Windows Certificate Spoofing Vulnerability</li><li><a href="https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21839">CVE-2022-21839</a> - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability</li><li><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874">CVE-2022-21874</a> - Windows Security Center API Remote Code Execution Vulnerability</li><li><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947">CVE-2021-22947</a> - Open Source Curl Remote Code Execution Vulnerability</li><li><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976">CVE-2021-36976</a> - Libarchive Remote Code Execution Vulnerability</li></ul><p>None of the above zero-days were actively exploited, but publicly available proof of concept (PoC) code is available so businesses should still patch these as a matter of priority before exploitation attempts do start occurring.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The scariest security horror stories of 2021  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/361839/the-scariest-security-horror-stories-of-2021</link>
                                                                            <description>
                            <![CDATA[ A crisis at Microsoft, the ransomware resurgence, and endless zero-days dominated headlines ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">iVoVo4nJ9FV3Ctyunq2Y2y</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/xH65SKaC9StGBUq7g6tS57-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 28 Dec 2021 08:00:08 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/xH65SKaC9StGBUq7g6tS57-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A hacker against a red background]]></media:description>                                                            <media:text><![CDATA[A hacker against a red background]]></media:text>
                                <media:title type="plain"><![CDATA[A hacker against a red background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/xH65SKaC9StGBUq7g6tS57-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <div class="youtube-video" data-nosnippet ><div class="video-aspect-box"><iframe data-lazy-priority="low" data-lazy-src="https://www.youtube-nocookie.com/embed/LuqAVA1jiPI" allowfullscreen></iframe></div></div><p>It’s been a whirlwind of a year, with the <a href="https://www.itpro.com/business/business-strategy/358445/covid-19-and-the-impact-on-tech-resourcing" target="_blank" data-original-url="https://www.itpro.com/business/business-strategy/358445/covid-19-and-the-impact-on-tech-resourcing">very worst of COVID-19</a> sandwiching Facebook’s annual PR crisis and a litany of cyber security tales from the deep. Indeed, security teams are still scrambling daily to wrestle with the number of threats facing businesses, while ransomware gangs continue to ransack their way across the globe.</p><p>The likes of <a href="https://www.itpro.com/security/ransomware/360813/revil-ransomware-gang-resurfaces" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/360813/revil-ransomware-gang-resurfaces">REvil</a> and <a href="https://www.itpro.com/security/hacking/361340/what-is-emotet" target="_blank" data-original-url="https://www.itpro.com/security/hacking/361340/what-is-emotet">Emotet</a> have terrorised businesses, while also sporadically and unexpectedly shutting down amid mounting pressure from law enforcement. From crippling attacks on critical national infrastructure to the persistent <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" target="_blank" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">exploitation of zero-day vulnerabilities</a>, most recently in the form of the Log4Shell vulnerability, we round up the most shocking cyber security scandals of the past 12 months.</p><h2 id="microsoft-exchange-under-siege">Microsoft Exchange under siege</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="MXne2nxfdqMYSdQDSUtfDR" name="" alt="The Microsoft Exchange Server software being accessed on a notebook device" src="https://cdn.mos.cms.futurecdn.net/MXne2nxfdqMYSdQDSUtfDR.jpg" mos="https://cdn.mos.cms.futurecdn.net/MXne2nxfdqMYSdQDSUtfDR.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>It’s been a torrid time for Microsoft Exchange this year, with zero-day exploits and vulnerabilities emerging from every corner. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware" data-original-url="/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware">Microsoft Exchange Servers are being used to distribute Qakbot malware</a></p></div></div><p>The problems began in March, when Microsoft announced it’d discovered what it believed to be the Chinese hacking group, Hafnium, executing a <a href="https://www.itpro.com/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack" target="_blank" data-original-url="https://www.itpro.com/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack">sophisticated attack using a chain of four previously undisclosed zero-day flaws</a> targeting on-premise Exchange servers. Hafnium gained access using these vulnerabilities and stolen passwords, before creating a web shell around the compromised servers. This allowed them to exfiltrate email data remotely.</p><p>It’s estimated a total of 30,000 servers were compromised across the world, including 7,000 in the UK. Patches were soon released for large organisations before a <a href="https://www.itpro.com/security/cyber-attacks/358907/microsoft-releases-one-click-patch-for-hafnium-vulnerability" target="_blank" data-original-url="https://www.itpro.com/security/cyber-attacks/358907/microsoft-releases-one-click-patch-for-hafnium-vulnerability">one-click patch</a> was issued for smaller businesses without dedicated IT teams.</p><p>Unfortunately, this was shortly followed by a series of additional zero-days, including three the NSA <a href="https://www.itpro.com/server-storage/servers/359207/microsoft-releases-three-new-exchange-server-patches" target="_blank" data-original-url="https://www.itpro.com/server-storage/servers/359207/microsoft-releases-three-new-exchange-server-patches">disclosed in April</a>, before ProxyToken was unleashed in August. This flaw, again </p><p>hastily patched, could have been abused to steal personal information and perform configuration actions on target mailboxes. Zero Day Initiative experts said, at the time, this could have allowed a hacker to gather and exfiltrate all email addresses in a person’s inbox, which would then be harnessed in phishing campaigns. The <a href="https://www.itpro.com/security/ransomware/358876/microsoft-warns-of-ransomware-attacks-as-exchange-hack-escalates" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/358876/microsoft-warns-of-ransomware-attacks-as-exchange-hack-escalates">ProxyLogon</a> exploit was subsequently at the centre of various attacks, with Epsilon Red <a href="https://www.itpro.com/security/ransomware/359737/new-ransomware-targets-unpatched-microsoft-exchange-servers" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/359737/new-ransomware-targets-unpatched-microsoft-exchange-servers">targeted servers</a> in June. At least ten groups have since abused the Hafnium exploit chain, with Qakbot and SquirrelWaffle malspam most recently <a href="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware">spreading via unpatched servers</a>.</p><h2 id="facebook-s-first-major-snafu-of-the-year">Facebook’s first major snafu of the year</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="WGCsRefGv8J2gf78DhKqj8" name="" alt="Facebook sign at entrance of its campus" src="https://cdn.mos.cms.futurecdn.net/WGCsRefGv8J2gf78DhKqj8.jpg" mos="https://cdn.mos.cms.futurecdn.net/WGCsRefGv8J2gf78DhKqj8.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>Facebook, once more, endured a crisis-laden year, with a humongous data scandal setting the tone for a rocky few months that eventually led to the damaging revelations detailed by whistleblower Frances Haugen.</p><p>On 3 April, somebody uploaded a database containing the personal information of 533 million users to a publicly accessible popular deep web hacking forum. This represented a fifth of Facebook’s user base, mainly based in the UK, US, and India. The leak included phone numbers, full names, previous locations, birth dates, relationship statuses, biographies, and, in some cases, email addresses. Experts, at the time, said the information would likely be used for social engineering campaigns, hacking, and marketing purposes.</p><iframe allow="encrypted-media" frameborder="0" height="" width="100%" data-lazy-priority="low" data-lazy-src="https://open.spotify.com/embed-podcast/episode/2znUT5UIPFAM1pGya83iwT"></iframe><p>Facebook <a href="https://www.itpro.com/policy-legislation/data-protection/359114/facebook-data-breach-533-million-hacking-forum" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/data-protection/359114/facebook-data-breach-533-million-hacking-forum">initially explained</a> the hackers scraped data from its servers by exploiting a misconfiguration in its contact importer. This, however, was actually part of a vulnerability the firm had patched in 2019; it knew the data had been compromised but the situation was out of its hands. The unknown hacker then, last year, created the database using this stolen information and established a business on Telegram whereby users paid a small fee to query the database and find phone numbers linked to Facebook profiles. Despite this endeavour, the hacker changed tack and dumped it all online in April. </p><h2 id="colonial-s-pipeline-runs-dry">Colonial’s Pipeline runs dry</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="t3k9kzgyaStXoWF4muGmeh" name="" alt="A gas pump put out of action by the cyber attack against Colonial Pipeline" src="https://cdn.mos.cms.futurecdn.net/t3k9kzgyaStXoWF4muGmeh.jpg" mos="https://cdn.mos.cms.futurecdn.net/t3k9kzgyaStXoWF4muGmeh.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>The <a href="https://www.itpro.com/security/ransomware/359466/colonial-pipeline-ransomware-attack" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/359466/colonial-pipeline-ransomware-attack">double-extortion ransomware siege</a> on Colonial Pipeline was among the most widely-reported attacks of 2021 due to the sheer scale of impact it had on US infrastructure. </p><p>The firm managing the 5,500-mile pipeline between Texas and New York, tasked with delivering 45% of the East Coast’s fuel, was brought to its knees for six days, with supplies cut off, in May. Russian-linked DarkSide took credit, having previously sold information about its attacks to stock traders <a href="https://www.itpro.com/security/ransomware/359328/ransomware-operators-selling-intel-to-traders-to-extort-victims" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/359328/ransomware-operators-selling-intel-to-traders-to-extort-victims">the previous month</a>.</p><p>DarkSide also threatened to leak information from the 100GB of data it stole before locking down the company’s systems. For consumers, limited fuel supply meant US residents had to physically compete with one another for resources, as a hoarding craze took hold. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text">The truth about ransomware</p></div></div><p>Before long, Colonial Pipeline went against cyber security best practice and paid the ransom, reported to be <a href="https://www.itpro.com/security/ransomware/359615/colonial-pipeline-ceo-confirms-the-company-paid-darkside-hackers-44" data-original-url="https://www.itpro.com/security/ransomware/359615/colonial-pipeline-ceo-confirms-the-company-paid-darkside-hackers-44">$4.4 million</a> (roughly £3.3 million). The Department of Justice (DoJ) <a href="https://www.itpro.com/security/ransomware/359800/doj-recovers-majority-of-ransom-paid-by-colonial-pipeline" data-original-url="https://www.itpro.com/security/ransomware/359800/doj-recovers-majority-of-ransom-paid-by-colonial-pipeline">eventually recovered</a> most of this sum, but the fear of future attacks catalysed a shift in focus for policymakers. <a href="https://www.itpro.com/business/policy-legislation/360301/us-has-new-cyber-security-rules-for-pipelines" data-original-url="https://www.itpro.com/business/policy-legislation/360301/us-has-new-cyber-security-rules-for-pipelines">Stricter rules</a> around securing pipelines from cyber attacks were swiftly introduced, and the incident prompted the Biden administration to promote ransomware to <a href="https://www.itpro.com/security/ransomware/359771/us-to-give-ransomware-terrorism-status" data-original-url="https://www.itpro.com/security/ransomware/359771/us-to-give-ransomware-terrorism-status">‘terrorism’ status</a>. The attack was so bad that even DarkSide was forced to change its operation, namely <a href="https://www.itpro.com/security/cyber-crime/361523/europol-report-ddos-ransomware-gangs-evade-capture" data-original-url="https://www.itpro.com/security/cyber-crime/361523/europol-report-ddos-ransomware-gangs-evade-capture">introducing a moderation process</a> following a massive backlash.</p><h2 id="kaseya-supply-chain-attack-cripples-millions-of-devices">Kaseya supply chain attack cripples millions of devices</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="bFQu3h53zHpohYToQdXjg6" name="" alt="A 2D mockup image of a business paying a cyber criminal for a ransom" src="https://cdn.mos.cms.futurecdn.net/bFQu3h53zHpohYToQdXjg6.jpg" mos="https://cdn.mos.cms.futurecdn.net/bFQu3h53zHpohYToQdXjg6.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>The summer months were marred with yet another mass-scale cyber attack, this time on Kaseya’s VSA product, a tool Managed Service Providers (MSPs) use to monitor their clients’ IT needs. The culprit, REvil, targeted a zero-day flaw in <a href="https://www.itpro.com/security/vulnerability/360185/kaseya-patches-vsa-flaws-exploited-in-revil-ransomware-attack" target="_blank" data-original-url="https://www.itpro.com/security/vulnerability/360185/kaseya-patches-vsa-flaws-exploited-in-revil-ransomware-attack">VSA specifically</a> due to functionality that allowed IT managers to push updates to clients without intervention.</p><p>Ironically, Kaseya had been working with Dutch security firm DIVD CSIRT at the time to patch the flaw REvil eventually exploited; this was a race against the clock the researchers unfortunately lost. Kaseya first announced 50 customers were affected but, in reality, the ransomware hit <a href="https://www.itpro.com/security/ransomware/360122/up-to-1500-organizations-compromised-in-kaseya-ransomware-attack" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/360122/up-to-1500-organizations-compromised-in-kaseya-ransomware-attack">more than 1,000 victims</a> and crippled more than a million devices. This isn’t to mention <a href="https://www.itpro.com/security/ransomware/360108/revil-demands-70-million-ransom-after-kaseya-supply-chain-attack" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/360108/revil-demands-70-million-ransom-after-kaseya-supply-chain-attack">REvil’s gargantuan reported ransom demand</a> of $70 million (roughly £52 million) for supplying the universal decryptor.</p><div class="youtube-video" data-nosnippet ><div class="video-aspect-box"><iframe data-lazy-priority="low" data-lazy-src="https://www.youtube-nocookie.com/embed/Zeo5SvW2Tls" allowfullscreen></iframe></div></div><p>What followed was a total shut down of VSA servers, with researchers eventually patching the three zero-day flaws that facilitated the attack. Opportunistic cyber criminals, though, persisted by capitalising on the mayhem with <a href="https://www.itpro.com/security/phishing/360174/researchers-spot-phishing-attacks-in-wake-kaseya-vsa-ransomware" target="_blank" data-original-url="https://www.itpro.com/security/phishing/360174/researchers-spot-phishing-attacks-in-wake-kaseya-vsa-ransomware">specialised phishing campaigns</a> purporting to supply system-fixing updates from Kaseya. Weeks later, Kaseya <a href="https://www.itpro.com/security/ransomware/360337/kaseya-obtains-master-decryptor-third-party-following-revil-attack" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/360337/kaseya-obtains-master-decryptor-third-party-following-revil-attack">obtained a decryptor through a third party</a>, insisting no payment was made.</p><p>Curiously, REvil shut down days after the attack; its servers and website were rendered offline. The group, however, <a href="https://www.itpro.com/security/ransomware/360813/revil-ransomware-gang-resurfaces" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/360813/revil-ransomware-gang-resurfaces">returned in September</a> by reopening its ‘Happy Blog’ – a site on which victims who refuse to pay are named and ‘shamed’ – before vanishing again in light of a <a href="https://www.itpro.com/security/ransomware/361480/three-revil-ransomware-gang-members-arrested-following-international" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/361480/three-revil-ransomware-gang-members-arrested-following-international">Europol-led sting operation</a>.</p><h2 id="printnightmare-a-comedy-of-errors">PrintNightmare: A comedy of errors </h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="6KkdCPUDoaPNLRQmrgeRvd" name="" alt="A broken window pane" src="https://cdn.mos.cms.futurecdn.net/6KkdCPUDoaPNLRQmrgeRvd.jpg" mos="https://cdn.mos.cms.futurecdn.net/6KkdCPUDoaPNLRQmrgeRvd.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>The aptly-named PrintNightmare fiasco arose <a href="https://www.itpro.com/security/exploits/360091/hackers-are-abusing-the-leaked-printnightmare-windows-exploit" data-original-url="https://www.itpro.com/security/exploits/360091/hackers-are-abusing-the-leaked-printnightmare-windows-exploit">at the start of July</a> after a devastating misunderstanding led to a reputable cyber security vendor, Sangfor, inadvertently publishing a working exploit for an unpatched vulnerability. </p><p>Microsoft had <a href="https://www.itpro.com/security/vulnerability/360145/microsofts-emergency-printnightmare-patch-can-be-bypassed" target="_blank" data-original-url="https://www.itpro.com/security/vulnerability/360145/microsofts-emergency-printnightmare-patch-can-be-bypassed">initially patched a privilege escalation vulnerability in its Print Spooler component</a> on 8 June as part of its routine Patch Tuesday wave of updates. The firm, however, two weeks later upgraded the severity of the bug to remote code execution (RCE). The vulnerability in question allowed attackers to install applications, view, change or delete data, or create new accounts with full privileges on targeted devices.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">What's behind the explosion in zero-day exploits?</a></p></div></div><p>Sangfor researchers, meanwhile, were conducting their own research into Print Spooler vulnerabilities, ahead of a presentation at the Black Hat cyber security conference in August. When Microsoft upgraded the severity of the now-patched PrintSpooler flaw, the researchers published a proof-of-concept exploit for an RCE flaw ahead of time, mistakenly believing this to be the same vulnerability that Microsoft had patched in June. </p><p>By the time Sangfor realised this mistake and took its report down, the exploitation was already being distributed across the hacking community. </p><p>Microsoft <a href="https://www.itpro.com/security/vulnerability/360219/microsoft-patch-tuesday-printnightmare-fix" target="_blank" data-original-url="https://www.itpro.com/security/vulnerability/360219/microsoft-patch-tuesday-printnightmare-fix">promptly issued a patch</a>, but this ultimately proved unsuccessful, after another researcher published a workaround. Then, the firm released a working patch on its second attempt on 13 July, alongside fixes for 117 other flaws.</p><h2 id="emotet-buried-by-europol-then-rises-from-the-ashes">Emotet buried by Europol – then rises from the ashes</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="VhYZAkkx5vCjyJNDbzgnzj" name="" alt="Closeup of a criminal's wrists in handcuffs" src="https://cdn.mos.cms.futurecdn.net/VhYZAkkx5vCjyJNDbzgnzj.jpg" mos="https://cdn.mos.cms.futurecdn.net/VhYZAkkx5vCjyJNDbzgnzj.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>Emotet was undoubtedly one of the most devastating strains of malware ever authored; at its peak, it provided an access point for up to 70% of malware strains in global circulation. The infamous banking Trojan’s significance and effectiveness was incontrovertible, but Christmas came late for security teams in January as a coordinated law enforcement effort, led by Europol, <a href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" target="_blank" data-original-url="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">took it down for good</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-crime/361523/europol-report-ddos-ransomware-gangs-evade-capture" data-original-url="/security/cyber-crime/361523/europol-report-ddos-ransomware-gangs-evade-capture">Europol reveals how ransomware gangs are evolving to evade capture</a></p></div></div><p>That was, at least, the line they touted at the time. Europol officers, alongside colleagues from the UK, US, and France, seized several hundred servers comprising Emotet’s infrastructure. It was a huge relief, given the malware was, as of a month earlier, affecting up to <a href="https://www.itpro.com/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware" target="_blank" data-original-url="https://www.itpro.com/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware">100,000 users per day</a>. German authorities later used the seized Emotet servers to uninstall the Trojan from infected devices – a dagger to the heart.</p><p>This brief period of bliss lasted just six months, however, with researchers discovering a retooled iteration of <a href="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot" target="_blank" data-original-url="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot">Emotet re-emerging in the wild</a>. Back with better-protected code and infrastructure, security experts are now, once again, on high alert, warning staff of the telltale signs of Emotet-infected emails. Whether this resurgent strain becomes as prolific as its predecessor remains to be seen, but it’s certainly a comeback that’s sent shockwaves through the security community.</p><h2 id="log4shell-is-a-genuine-nightmare-before-christmas">Log4Shell is a genuine nightmare before Christmas</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="rcgqGm2k9qbr9K4kHhEmvU" name="" alt="An abstract image showing a skull over a pixelated background to symbolise a cyber security vulnerability" src="https://cdn.mos.cms.futurecdn.net/rcgqGm2k9qbr9K4kHhEmvU.jpg" mos="https://cdn.mos.cms.futurecdn.net/rcgqGm2k9qbr9K4kHhEmvU.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>Discovered just weeks before the year’s end as a glitch in Minecraft, of all places, chatter continues to run rife in the infosec community about just how dangerous the flaw known as Log4Shell could be.</p><p><a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" target="_blank" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">Log4Shell</a> is a zero-day vulnerability in the popular log4j 2 library, a logger that’s almost ubiquitous in global Java apps and enterprise products. Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Fline, are thought to be particularly vulnerable. There are, however, products being found to be vulnerable with each day that passes since its 9 December discovery. </p><p>While the vast majority of products written in Java are thought to be vulnerable to the RCE tracked as <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228" target="_blank">CVE-2021-44228</a>, the true breadth of the attack surface is still yet to be confirmed and isn’t likely to be fully realised for months, according to experts. Attackers, however, can certainly utilise a long-known exploitation method known as Java Naming and Directory Interface (JNDI) injection to achieve RCE.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/358164/the-scariest-security-horror-stories-of-2020" data-original-url="/security/358164/the-scariest-security-horror-stories-of-2020">The scariest security horror stories of 2020</a></p></div></div><p>There are currently no known major exploitations of the vulnerability, but early evidence points to Mirai botnets being launched using vulnerable infrastructure, with other attacks likely. To that effect, Check Point researchers observed <a href="https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-detailed-dive" target="_blank">more than 800,000 attack attempts</a> using the vulnerability within 72 hours of disclosure. With patches available, it’s set to be a turbulent and anxious few weeks for cyber security professionals across the globe as the industry watches the prospective horrors unfold.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Log4Shell: New numbers reveal the scale of the critical software exploit ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/361847/log4shell-zero-day-vulnerability-numbers-revealed</link>
                                                                            <description>
                            <![CDATA[ Researchers detail how much the Log4J vulnerability is being exploited and who is being targeted the most ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9DVJubW8DbQJdvSEdai5Te</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Uu8ypYoikN9AbKtZ9B3yyc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 15 Dec 2021 13:05:14 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Uu8ypYoikN9AbKtZ9B3yyc-1280-80.jpg">
                                                            <media:credit><![CDATA[Check Point Research]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Abstract image of stacked broken egg shells]]></media:description>                                                            <media:text><![CDATA[Abstract image of stacked broken egg shells]]></media:text>
                                <media:title type="plain"><![CDATA[Abstract image of stacked broken egg shells]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Uu8ypYoikN9AbKtZ9B3yyc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The scale of the threat associated with the <a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">recently discovered Log4Shell vulnerability</a> has been quantified for the first time, with nearly 1 million attack attempts launched in just 72 hours following the critical vulnerability's disclosure on 9 December.</p><p>Experts from Check Point Research <a href="https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-detailed-dive">published observations</a> from early vulnerability scans on Tuesday, which revealed attempts to exploit systems vulnerable to Log4Shell increased from 40,000 in the immediate 12-hour period following disclosure, to 830,000 attempts after just three days.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">What is the Log4Shell vulnerability?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/exploits/360411/top-30-most-exploited-vulnerabilities" data-original-url="/security/exploits/360411/top-30-most-exploited-vulnerabilities">The most exploited cyber security vulnerabilities</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="/security/27713/the-importance-and-benefits-of-effective-patch-management">Patch management vs vulnerability management</a></p></div></div><p>Researchers said the vulnerability "is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable". The security community is still scrambling to fully understand the attack surface for Log4Shell, <a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">the RCE vulnerability in the log4j Java logging component revealed last week</a>.</p><p>"The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections," researchers said. "It means that one layer of protection is not enough, and only multi-layered security posture would provide a resilient protection. Three days after the outbreak, we are summing up what we see until now, which is clearly a cyber pandemic that hasn’t seen its peak yet."</p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="oGeWLDeMAWuH78BNNU2ovW" name="" alt="A graph indicating the rise in exploitation attempts of Log4Shell" src="https://cdn.mos.cms.futurecdn.net/oGeWLDeMAWuH78BNNU2ovW.jpg" mos="https://cdn.mos.cms.futurecdn.net/oGeWLDeMAWuH78BNNU2ovW.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Check Point Research)</span></figcaption></figure><p>The industry has banded together to share quick fixes and easy ways to remediate issues in the enterprise, but research has shown attackers are finding new ways to exploit the vulnerability.</p><p>Check Point Research said it has seen a steady increase in exploit evolutions over the course of 72 hours since Log4Shell's discovery, with more than 60 different methods already in use.</p><p>Findings from their investigation are said to resemble a cyber pandemic, in which attacks spread quickly and evolve continually to break through attempted fixes.</p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Dz4sYXiQbegaRPzUKJjdhN" name="" alt="A graph depicting the swift evolution of exploitation of Log4Shell" src="https://cdn.mos.cms.futurecdn.net/Dz4sYXiQbegaRPzUKJjdhN.jpg" mos="https://cdn.mos.cms.futurecdn.net/Dz4sYXiQbegaRPzUKJjdhN.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Check Point Research)</span></figcaption></figure><h2 id="who-is-most-vulnerable-to-log4shell">Who is most vulnerable to Log4Shell?</h2><p>The investigation also looked at corporate exposure to Log4Shell and concluded that a global average of 40% of all networks across the world could be vulnerable to log4j flaws.</p><p>Australia and New Zealand were found to be the most exposed at 46.2% of all corporate networks, with Europe close behind with 42.2%. Asia and North America are the least exposed at 37.7% and 36.4% respectively.</p><iframe frameborder="0" height="200px" width="100%" data-lazy-priority="low" data-lazy-src="https://widget.spreaker.com/player?episode_id=44556716&theme=light&playlist=false&playlist-continuous=false&autoplay=false&live-autoplay=false&chapters-image=true&episode_image_position=right&hide-logo=false&hide-likes=true&hide-comments=true&hide-sharing=true&hide-download=true&color=ffe019"></iframe><p>Value-added resellers and the education sectors were found to be particularly vulnerable compared to other industries, with around half of all organisations across the two sectors thought to be affected.</p><p>Unlike with the COVID-19 pandemic, the retail and hospitality sectors are thought to be the least affected, with around a quarter of organisations exposed to log4j-based attacks.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="iAVch4E74nXskoYH6rVd54" name="iAVch4E74nXskoYH6rVd54.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/iAVch4E74nXskoYH6rVd54.png" mos="https://cdn.mos.cms.futurecdn.net/iAVch4E74nXskoYH6rVd54.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Modernise endpoint protection and leave your legacy challenges behind</strong></p><p class="fancy-box__body-text">The risk of keeping your legacy endpoint security tools</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/endpoint-security/360946/modernise-endpoint-protection-and-leave-your-legacy-challenges" data-original-url="/security/endpoint-security/360946/modernise-endpoint-protection-and-leave-your-legacy-challenges">FREE DOWNLOAD</a></p></div></div><p>There is significant pressure felt by security teams across the globe to fully patch the vulnerability. Upgrading to the latest version of the log4j library, version 2.15.0, is so far the best mitigation against the flaw.</p><p>Also this week, the US' Cybersecurity and Infrastructure Security Agency (CISA) <a href="https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance">told all federal agencies they had until 24 December to patch systems</a> and protect them from Log4Shell.</p><p>It follows a recent increase in focus on <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">patch management</a> across the US public sector, led by CISA, after the agency <a href="https://www.itpro.com/security/vulnerability/361441/cisa-federal-agencies-cyber-security-patch-deadlines" data-original-url="https://www.itpro.com/security/vulnerability/361441/cisa-federal-agencies-cyber-security-patch-deadlines">issued deadlines</a> to all federal departments in November to patch a 300-strong list of major cyber security vulnerabilities. The first deadline passed weeks later but CISA declined to confirm to <em>IT Pro</em> if all federal agencies had met the requirements in time.</p><p>Check Point Research said it thinks the vulnerability in the log4j library "will stay with us for years to come" due to the complexity in patching it and the ease in which attackers can exploit it.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ What is the Log4Shell vulnerability? ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability</link>
                                                                            <description>
                            <![CDATA[ The critical flaw affecting products built using Java is set to cause headaches in the enterprise for some time to come ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">oZ6Zr6bvZZivTueSa7SoLU</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/erynALx5P4m9bG3NhzqxUN-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 13 Dec 2021 11:04:27 +0000</pubDate>                                                                                                                                <updated>Wed, 25 Mar 2026 23:01:08 +0000</updated>
                                                                                                                                            <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ connor.jones@futurenet.com (Connor Jones) ]]></author>                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs.&lt;/p&gt;
&lt;p&gt;Connor has previously written for the likes of Red Bull Esports and UNILAD, before a lengthy stint at ITPro. He has a master’s degree in Magazine Journalism from one of the UK’s leading journalism departments at the University of Sheffield, as well as an undergraduate degree in English Language from Sheffield Hallam University.&lt;/p&gt;
&lt;p&gt;When he’s not hitting the phones trying to squeeze stories out of sources and press offices, in his free time Connor studies software development, is a keen cook, and enjoys leading an active life through cycling, hiking, racket sports, and weightlifting.&lt;/p&gt; ]]></dc:description>
                                                                                                        <dc:contributor><![CDATA[ Max Slater-Robins ]]></dc:contributor>
                                                                                                                                                                                    <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/erynALx5P4m9bG3NhzqxUN-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A CGI visualization of a holographic red warning symbol hovering above some code on a blue background, to represent the Log4Shell vulnerability.]]></media:description>                                                            <media:text><![CDATA[A CGI visualization of a holographic red warning symbol hovering above some code on a blue background, to represent the Log4Shell vulnerability.]]></media:text>
                                <media:title type="plain"><![CDATA[A CGI visualization of a holographic red warning symbol hovering above some code on a blue background, to represent the Log4Shell vulnerability.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/erynALx5P4m9bG3NhzqxUN-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Log4Shell, the critical vulnerability <a href="https://www.itpro.com/security/zero-day-exploit/361847/log4shell-zero-day-vulnerability-numbers-revealed"><u>disclosed</u></a> in the Apache Log4j logging library in December 2021, remains one of the most impactful and persistent security flaws in modern software history, even now. </p><p>Assigned the identifier <a href="https://nvd.nist.gov/vuln/detail/cve-2021-44228"><u>CVE‑2021‑44228</u></a> and a maximum CVSS score of 10, the flaw enabled remote code execution by exploiting how Log4j handled Java Naming and Directory Interface (JNDI) lookups, letting attackers inject arbitrary code into affected systems with minimal effort.</p><p>Following the initial disclosure, threat actors globally began scanning and exploiting the flaw at scale, with some estimates suggesting more than 100 attempted attacks per minute at its peak.</p><p>Apache responded quickly with a series of patches, but the vulnerability's presence in countless Java applications – including those embedded deep within <a href="https://www.itpro.com/software/enterprises-need-to-sharpen-up-on-software-supply-chain-security"><u>software supply chains</u></a> – has made complete eradication elusive.</p><p>Several years on, Log4Shell continues to pose a serious risk. Nearly 4,000 organizations <a href="https://www.itpro.com/security/log4j-nearly-4000-organizations-still-vulnerable-two-years-on"><u>remain vulnerable</u></a> due to outdated components, unpatched systems, and inadequate dependency management, highlighting systemic issues in software maintenance and long-term remediation.</p><h2 id="how-big-is-the-problem">How big is the problem? </h2><p>In 2025, Log4Shell remains a significant security concern. A December 2023 <a href="https://www.itpro.com/security/log4j-nearly-4000-organizations-still-vulnerable-two-years-on"><u>report</u></a> by Veracode found that nearly 3,900 organizations were still using vulnerable Log4j versions across more than 38,000 applications.</p><p>Of those, 2.8% were running versions directly affected by the original Log4Shell flaw, and 3.8% were using 2.17.0, which contains a separate critical vulnerability (<a href="https://nvd.nist.gov/vuln/detail/cve-2021-44832" target="_blank"><u>CVE‑2021‑44832</u></a>). Notably, 32% of applications relied on Log4j 1.x, which has been deprecated since 2015 and is affected by several unresolved vulnerabilities.</p><p>Runtime telemetry from <a href="https://www.contrastsecurity.com/security-influencers/log4shell-vulnerability-log4j-still-being-exploited-contrast-security-adr" target="_blank"><u>Contrast Security</u></a> in late 2024 adds further context: 12% of Java applications still use vulnerable Log4j builds, with some seeing over 4,000 exploit probes each month, and unprotected apps faced, on average, more than two successful exploit attempts per month.</p><p>In December 2025, <a href="https://www.itpro.com/software/open-source/a-concerning-number-of-log4j-downloads-are-still-vulnerable-four-years-on"><u>Sonatype found 14% of Log4j downloads in the UK were still vulnerable</u></a>, with 13% worldwide found to contain the vulnerability despite the commonality of the safe variant.</p><h2 id="why-are-organizations-still-vulnerable">Why are organizations still vulnerable? </h2><p>Despite the availability of patches and intense scrutiny following the initial disclosure, many organizations remain exposed to Log4Shell due to a mix of technical, operational, and structural challenges.</p><p>One of the most persistent issues is dependency sprawl. Log4j is often embedded deep within software supply chains, making it difficult for IT teams to detect and remediate vulnerable instances. </p><p>Even when organizations are aware of the issue, patching can be complicated by compatibility concerns, legacy codebases, or the risk of disrupting production systems.</p><p>Developer behavior is also a contributing factor. A Veracode <a href="https://www.itpro.com/security/log4j-nearly-4000-organizations-still-vulnerable-two-years-on"><u>study</u></a> found that 79% of developers never update a third-party component after its initial inclusion. This inertia, combined with inconsistent dependency management practices, allows vulnerable versions of Log4j to persist across environments for years.</p><h2 id="ongoing-exploitation-and-real-world-risk">Ongoing exploitation and real-world risk</h2><p>While exposure alone is concerning, the continued exploitation of Log4Shell highlights the urgency of the issue. In short, threat actors have not moved on.</p><p>The continued presence of vulnerable Log4j instances across enterprise systems has kept Log4Shell a viable attack vector. Its widespread use in Java applications, particularly those with complex dependency trees, means attackers can still rely on it to breach environments with minimal effort.</p><p>Rather than large-scale campaigns, exploitation has become more targeted and opportunistic. Threat actors increasingly use Log4Shell to gain initial access before pivoting to broader objectives, such as lateral movement, credential harvesting, or data exfiltration. </p><p>In some cases, the vulnerability has been used to deploy crypto‑mining tools or maintain long-term persistence through web shells and backdoors.</p><p>Security researchers have observed that some attackers are specifically scanning for older Log4j 1.x deployments, knowing these are often overlooked in patching efforts and more likely to reside in legacy systems.</p><p>National security agencies, including CISA, <a href="https://www.itpro.com/software/open-source/cisa-wants-closer-ties-with-open-source-developers-to-stop-the-next-log4shell"><u>continue to classify</u></a> Log4Shell as a top-tier threat due to its ease of use and long tail of exploitation. Its persistence in attacker playbooks underscores the broader risks of unpatched software and the limitations of reactive security models.</p><h2 id="a-case-study-in-failed-remediation">A case study in failed remediation</h2><p>Log4Shell has become a defining example of how even widely publicised vulnerabilities can persist for years when underlying remediation processes break down. </p><p>Despite near-universal awareness and the availability of patches within days of disclosure, long-term exposure has remained common across industries, geographies, and system types.</p><p>Part of the challenge lies in the structure of modern software development. Applications frequently rely on dozens or even hundreds of third-party components, many of which are nested deep within dependency trees.</p><p>Logging utility Log4j was often pulled in automatically by other libraries. As a result, many organizations were unaware they were using it at all. This lack of visibility has been a recurring theme in vulnerability management failures.</p><p>More fundamentally, Log4Shell has exposed the fragility of existing patching practices. Many organizations lack effective mechanisms to track, test, and update dependencies at scale. </p><p>Security teams are often overburdened, and patch cycles prioritise immediate operational concerns over longer-term risk reduction. As a result, even critical flaws with simple fixes can remain unresolved for months or even years.</p><p>Log4Shell’s persistence serves as a warning: disclosure and awareness alone are not enough. Without structural improvements in dependency management, vulnerability monitoring, and patch governance, similar risks will continue to resurface.</p><h2 id="what-organizations-should-do">What organizations should do?</h2><p>While many security teams addressed Log4Shell shortly after its disclosure, the continued presence of vulnerable systems shows that one-off responses are not enough. Organizations must treat it not just as a vulnerability, but as a broader lesson in sustainable security hygiene.</p><p>Visibility is the priority. Teams should use software composition analysis (SCA) tools and maintain a software bill of materials (SBOM) to identify where Log4j – or any other vulnerable component – exists in their environments, including indirect dependencies and container images.</p><p>Where Log4j is still in use, remediation should follow quickly. For Log4j 2.x, this means upgrading to version 2.17.1 or later. For Log4j 1.x, migrating to a supported logging framework is essential, even if it requires significant code changes. Mitigations alone are not sufficient.</p><p>Defensive layers also matter. Runtime protections – such as egress filtering, EDR, and intrusion prevention – can detect or block exploitation attempts. These should be backed by effective logging and alerting.</p><p>Finally, organizations must improve long-term dependency management. Automated update pipelines, regular auditing, and security checks in CI/CD workflows reduce the risk of repeat incidents.</p><p>While Log4Shell emerged in 2021, its legacy demands systemic change, not just patching.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Firefox 95 boosts protection against zero-day attacks ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/network-internet/web-browser/361772/firefox-95-boosts-protection-against-zero-day-attacks</link>
                                                                            <description>
                            <![CDATA[ Mozilla's browser now takes a more granular approach to walling off code ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vRa9VGRhN4j785gcWteXYj</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/3F7yZu2B5vQNKZEBPc96ek-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 07 Dec 2021 14:02:04 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Web Browsers]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                                    <dc:creator><![CDATA[ Danny Bradbury ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/3F7yZu2B5vQNKZEBPc96ek-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Mozilla Firefox logo on a laptop]]></media:description>                                                            <media:text><![CDATA[The Mozilla Firefox logo on a laptop]]></media:text>
                                <media:title type="plain"><![CDATA[The Mozilla Firefox logo on a laptop]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/3F7yZu2B5vQNKZEBPc96ek-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Mozilla is shipping a security technology with <a href="https://www.mozilla.org/en-US/firefox/95.0/releasenotes">Firefox 95</a> that it hopes will stop <a href="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale" data-original-url="https://www.itpro.com/security/zero-day-exploit/360447/why-zero-day-exploits-are-surging-on-an-unprecedented-scale">zero-day</a> attacks targeting users of the browser. </p><p>Called RLBox, the new feature will take a more granular approach to sandboxing, a security approach that runs website code in its own walled-off section of memory to avoid malicious components affecting the rest of the system.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/network-internet/web-browser/361640/mozilla-to-end-support-for-firefox-lockwise-password-manager" data-original-url="/network-internet/web-browser/361640/mozilla-to-end-support-for-firefox-lockwise-password-manager">Mozilla to end support for Firefox Lockwise password manager</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox" data-original-url="/web-browsers/24796/best-browser-chrome-vs-edge-vs-firefox">Best web browsers 2023: Google Chrome vs Microsoft Edge vs Firefox</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/network-internet/web-browser/361488/firefox-available-on-microsoft-store-for-first-time" data-original-url="/network-internet/web-browser/361488/firefox-available-on-microsoft-store-for-first-time">Firefox available on Microsoft Store for first time</a></p></div></div><p>In a <a href="https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95">blog post</a> announcing the feature, Mozilla distinguished engineer Bobby Holley highlighted a problem with existing browser sandboxing technology, which isolates web site processes in individual sandboxes, and is vulnerable to chained attacks.</p><p>Malware developers can compromise the process first, and then escape the sandbox, it warns. It also limits the extent to which code can be separated into different sandboxed processes because of the memory overhead involved.</p><p>Developed in conjunction with the University of California San Diego and the University of Texas, RLBox complements process-based isolation with a new approach. It compiles code as native code via WebAssembly, which is a portable compilation format.</p><p>This makes each separately compiled piece of native code safer, because it can't access memory outside of a specified region and can't make any unexpected jumps. The new approach makes it possible to run different pieces of trusted and untrusted code in the same process without them affecting each other.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="A7E5LkAp9fQtCkRAWiHBVZ" name="A7E5LkAp9fQtCkRAWiHBVZ.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/A7E5LkAp9fQtCkRAWiHBVZ.jpg" mos="https://cdn.mos.cms.futurecdn.net/A7E5LkAp9fQtCkRAWiHBVZ.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>How to manage AI risk</strong></p><p class="fancy-box__body-text">Recommendations from the Cyber Resilience Think Tank</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/artificial-intelligence-ai/361093/how-to-manage-ai-risk" data-original-url="/technology/artificial-intelligence-ai/361093/how-to-manage-ai-risk">FREE DOWNLOAD</a></p></div></div><p>"RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream," said Holley.</p><p>RLBox is a stand-alone project that Mozilla first trialed on macOS and Linux users last year. It is now deploying it across all Firefox platforms, including mobile systems.</p><p>Mozilla will begin with RLBox support for the Graphite font rendering system, the Hunspell spell checker, and the Ogg multimedia container format in Firefox 95. It will follow this up in Firefox 96 with support for the Expat XML parser and Woff2, the font compression technology used in the browser.</p><p>"Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox," Holley said. He also hoped that other browsers would adopt the open-source technology.</p><p>Mozilla has updated its bug bounty program to reward researchers for escaping the sandbox technology without exploiting vulnerabilities in an isolated component.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
            </channel>
</rss>