Patching News, Articles and Updates

Symantec endpoint zero-day unpatched for months

A vulnerability in Symantec endpoint clients remains unpatched months after disclosure, according to security researchers.

Apple issues emergency fix for High Sierra root access flaw

A day after a developer revealed a root access flaw in macOS High Sierra version 10.13.1, Apple released an emergency patch, which it plans to push out today.

Symantec patches certificate spoofing flaw in Install Norton product

Symantec patched a certificate spoofing vulnerability in its Install Norton Security product that occurs when downloading Norton for Mac.

Intel Management Engine vulnerabilities expose millions of PCs to attack

Intel researchers identified an elevation of privilege exploits in various product families which could enable a system crash or system instability, among other issues.

The problem with your inherited legacy systems

Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

Windows, Mac and Linux all at risk from flaws in Excel file reader library

Security researchers have warned over multiple flaws in Libxls that could result in remote code execution using specially crafted XLS files.

Oracle issues emergency patch for JoltandBleed bug in Tuxedo middleware

Oracle Corporation issued a series of emergency patches on Tuesday last week, fixing five vulnerabilities in its Tuxedo middleware platform, including a critical one that has been compared to Heartbleed.

Cisco: Critical vulnerability in 12 types of Voice OS-based products

Cisco has patched a critical flaw in its Voice-OS which could allow an unauthenticated, remote hacker to gain elevated access to 12 types of its products.

Microsoft Patch Tuesday: 20 critical issues addressed

Microsoft's November Patch Tuesday rollout included patches 53 flaws, 20 rated critical, spread across a variety of products, including Edge, Internet Explorer, Windows and Office.

ToastAmigo malware uses new twist to attack Toast overlay vulnerability

A new malware uses an updated methodology to abuse the previously patched Android Toast overlay vulnerability, which once installed, can download additional malware as well as use various permissions to access the phone.

Tor patches flaw that could expose MacOS and Linux IP addresses

The Tor Project released a patch fixing an issue that could reveal the correct IP address of MacOS and Linux users using the Tor browser.

Apple addresses KRACK exploits in iOS and macOS updates

Apple has finally addressed the KRACK vulnerabilities in its latest macOS High Sierra, Sierra, El Capitan, iOS 11.1, tvOS and watchOS.

Google bug tracker service flaw allowed access to new vulnerability reports

A private website Google used to track bugs in its own products was discovered to have its own set of flaws that could have exposed sensitive vulnerability reports - now fixed.

Apache OpenOffice patches four vulnerabilities in 4.1.4 update

Apache OpenOffice patched four medium vulnerabilities in the suites word processing and graphics apps.

T-Mobile API bug may have leaked customer account data

A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.

LG patches app bug that can turn IoT vacuums into robotic spies

LG patches holes in its IOT device range following cooperation with CheckPoint, including patching vacuum cleaners which could have become digital spies in the home.

Wannacry - North Korea blamed by UK; NHS didn't follow recommendations

National Audit Office (NAO) report says NHS trusts were left vulnerable to the unsophisticated Wannacry attack because NHS chiefs ignored cyber-security recommendations. UK Government holds North Korea responsible.

Quarter of financial service employee mobile devices unpatched

A quarter of financial service employee mobile devices have unpatched vulnerabilities, according to a recent Symantec report.

Attack is imminent - get "back to basics" - not just during CyberSec month

Patching and application control should be first on the list to strengthen your organisation against attack, but take a strategic approach, and don't just patch for the latest WannaCry, but for the next big attack too says Amber Boehm.

Oracle patches 252 bugs, increase in E-Business Suite and PeopleSoft flaws

Oracle Corp's quarterly Critical Patch Update (CPU) has fixes for 252 vulnerabilities, including extremely severe bugs found in the company's Hospitality Applications, Siebel CRM solution, and PeopleSoft HR software.

ROCA vulnerability threatens RSA encrypted devices on heels of KRACK scar

ROCA proof of concept attacks threaten RSA encrypted devices as far back as 2012 - patches need updating now.

Mozilla patches three critical issues in Thunderbird and Firefox

Mozilla issued a security update stating that the newly released Thunderbird 52.4 , Firefox 56 and Firefox ESR 52.4 patch 10 vulnerabilities, two rated critical, five high and three moderate found in earlier iterations of the software.

Patch Tuesday Microsoft: 62 vulnerabilities, 28 critical, 1 in the wild

Microsoft's October Patch Tuesday release covered a wide spectrum of problems with the majority possibly resulting in remote code execution (RCE) and CVE-2017-11826 being publicly disclosed and actively exploited.

Contractor's only IT technician steals 30GB of Australian defence secrets

30GB of data stolen from a small Australian military defence contractor which included technical information on jet fighters, transport aircraft, 'smart bomb kits.' Culprit, the lone IT technician.

Flaw in Windows DNS client exposed millions of users to hacking

Security researchers have advised the patching of a critical vulnerability in the DNS client used in Windows. The flaw could allow hackers to gain access to a target system.

Apple issues new security update for macOS High Sierra

Apple issued a supplemental security update for macOS High Sierra 10.13 to patch two issues, one of which fixes a keychain password issue discovered last week.

How do we reconcile the open source security risk with GDPR best practice?

GDPR calls for a documented, systematic approach to evaluating your security measures - including how you patch, but patching Open Source code has its own problems explains Matthew Jacobs and Daniel Hedley.

Seven deadly flaws found in Dnsmasq DNS forwarder and DHCP server

Patch Dnsmasq DNS forwarder and DHCP server now or stay vulnerable, researchers warn

Critical zero-days found in three popular WordPress plugins

Critical zero-day vulnerabilities in three popular Wordpress plug-ins could allow attackers to completely take over a vulnerable site.

Apple's iOS 11 release prevents backdoor exploit on Wi-Fi chips

Apple's release of iOS 11 patched an out-of-bounds write vulnerability in Wi-Fi chips that, if exploited, could have allowed attackers within range to execute arbitrary code on the firmware.