Patch News, Articles and Updates

Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit

Even Charles Darwin couldn't protect his Twitter account from being hijacked after a researcher stole his cookies and passwords by exploiting a reported universal cross-site scripting vulnerability in the Microsoft Edge browser.

Workaround created to defeat Microsoft Win 7, 8 security patch block

A Github user has published an open-source workaround that supposedly circumvents Microsoft's new block on receiving security updates for systems running Windows 7 or 8.1 on a PC powered by a sixth-generation processor.

Struts and Shadow Brokers exploits among the 299 fixed by Oracle patch

April 19 may now be known as Oracle Patch Day with the company issuing and record 299 critical security fixes, including several that patch issues that can be exploited by some of the leaked NSA tools.

Microsoft's Patch Tuesday new Security Update Guide gets mixed reviews

Microsoft's April Patch Tuesday finally revealed the company's new approach in rolling out and informing the industry on the security updates for the month and at best has received mixed reviews from industry insiders.

Broadcom patches chipset flaws that enable remote code execution on Android and ioS devices

A Google Project Zero researcher has detailed a series of vulnerabilities in Broadcom's Wi-Fi chipsets that could potentially allow remote code execution on Android and iOS devices.

Apple's iOS 10.3.1 update patched Wifi code execution flaw

Days after releasing the iOS 10.3 patch, Apple has released a new patch, iOS 10.3.1, to correct a code execution flaw that could be exploited via WiFi.

Google researcher spots second critical bug in LastPass

For the second time in two weeks, Google researcher Tavis Ormandy has discovered a critical vulnerability in LastPass.

Apple patches bugs, reportedly reconfigures iOS to stifle pop-up scam

Apple on Monday released security updates for multiple products, and in the process also reconfigured iOS to address a pop-up issue that scammers were abusing to lock users out of their Safari mobile browsers in an attempt to extort money.

iTunes 12.6 addresses 17 vulnerabilities apiece in macOS and Windows devices

Apple last week updated its iTunes software to version 12.6 for its macOS products as well as Windows devices, in both cases fixing the same 17 vulnerabilities.

20-year-old flaw found in Ubiquiti networking gear running ancient PHP

Running PHP 2.0.1 turns out to be a bad way to secure network devices against a range of threats including cross-site request forgery attacks.

Old iOS vulnerability spotted in Nintendo Switch browser

A researcher has already found an old vulnerability in the Nintendo Switch which could allow remote attackers to execute arbitrary code.

Vulnerability in Apache Struts active in the wild

A new vulnerability has been spotted in Apache's Struts open-source project that has been spotted active in the wild allowing remote code execution.

Third party develops temporary patch for Microsoft flaw that Google disclosed

Security research firm ACROS Security has issued a third-party patch for a Microsoft vulnerability that Google disclosed last month after Microsoft failed to issue a patch within Google's imposed 90-day deadline.

Vulnerability in Cisco NetFlow Generation Appliances could create DoS condition

The day after Cisco warned about a flaw in its Smart Install clients the company issued an advisory concerning a vulnerability in its Stream Control Transmission Protocol (SCTP) decoder of the Cisco NetFlow Generation Appliance (NGA).

Iceni Argus patches six remote code execution bugs

Cisco Talos research team has spotted multiple remote code execution vulnerabilities in the Iceni Argus PDF content extraction product.

Zscaler fixes XSS vulnerability in admin portal affecting co-workers

Cloud security vendor fixes cross-site-scripting bug, downplays the threat, says it would only affect co-workers.

German researchers find flaws in nine major password managers

TeamSIK has published a security assessment of nine popular password management applications on Android devices and found them all to contain security vulnerabilities. All vulnerabilities have been patched prior to publication.

Privilege escalation flaw in Huawei Themes patched in software update

Huawei Technologies has released a new software update that patches a privilege escalation vulnerability in its Huawei Themes mobile app that could ultimately result in arbitrary code execution.

Irresponsible disclosure? Google reveals bug prior to Microsoft patch

A security researcher from Google's Project Zero has revealed a bug in Windows' Graphic Component GDI Library prior to Microsoft issuing a patch, despite Microsoft being warned back in November 2016.

Report: More than 100K WordPress web pages defaced following disclosure of patched bug

More than 100,000 WordPress web pages have been defaced, following last week's public disclosure of a patched vulnerability that allows attackers to remotely modify the content of pages and posts.

Unpatched Windows zero day allows DoS attacks, possibly other exploits

Microsoft Windows users beware of an unpatched memory corruption bug which could be exploited to cause Dos attacks.

WordPress secretly patches severe bug that can lead to site content modification

WordPress last week silently patched a high-severity zero-day vulnerability that can allow unauthorized users to remotely modify a web page's content and change any post.

Spotting vulnerabilities in your open source code

ESET researchers have offered programmers a few tips for spotting vulnerable code and how to correct them before they make it into your system.

Mozilla issues five critical patches for Firefox and Firefox ESR

Mozilla issued two security advisories covering Firefox and Firefox ESR that between them contain 33 security patches, five rated as critical.

'Magic String' of characters could have compromised WebEx extension users

A vulnerability in Cisco's WebEx Chrome extension reportedly could have allowed adversaries to remotely execute code on machines that visited compromised URLs containing a special string of characters.

Apple issues updates for almost all its products

Anyone owning an Apple device probably needs to patch it.