Google: New Chrome Zero-Day Being Exploited
The search advertising giant released a Chrome security refresh overnight with a warning that malicious hackers are actively exploiting a critical type confusion vulnerability to launch malware attacks. “Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild,” the company said in a cryptic line added to its advisory. The vulnerability…
Critical WooCommerce Vulnerability Targeted Hours After Patch
WooCommerce is a popular open-source eCommerce plugin for WordPress, with more than 5 million installations to date, making it an attractive target for cybercriminals. On Thursday, WooCommerce said that on July 13 it received a report of a critical vulnerability in the plugin, urging users to update their installations as soon as possible, but without…
U.S. Offers $10 Million Rewards for Information on Foreign Hackers
The new website, StopRansomware.gov, is designed to serve as a central hub that consolidates ransomware resources from all government agencies, including CISA, the FBI, the Secret Service, NIST, the Department of Treasury, and the HHS. Its goal is to provide useful resources for individuals, businesses and other organizations. StopRansomware.govStopRansomware.gov provides information on what to do…
Facebook: Iranian Hackers Target Military, Aerospace Entities in the US
Recent activity that Facebook associated with the group focused on military personnel, defense organizations, and aerospace entities primarily in the United States and, to a lesser extent, the U.K. and Europe, showing an escalation of the group’s cyberespionage activities. Active since at least 2018, Tortoiseshell was previously observed targeting information technology organizations in the Middle…
SecurityWeek to Host Cloud Security Summit July 21, 2021
Through a fully immersive virtual environment, attendees will be able to interact with end users tasked with securing various cloud environments and services, and gain insights from leading solution providers and industry experts. “SecurityWeek’s Cloud Security Summit will examine a broad range of topics, including cloud asset discovery and management, identity management and multi-factor authentication,…
ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities
The 18 new advisories prepared by Siemens for the July 2021 Patch Tuesday cover nearly 80 vulnerabilities impacting the company’s products. Some of the vulnerabilities have already been patched by Siemens, while others are in the process of being fixed. Workarounds and/or mitigations are also available. An advisory for JT2Go and Teamcenter Visualization covers the…
Firefox 90 Adds Cross-Origin Protections, Advanced Tracker Blocker
The open-source browser refresh is currently rolling out with support for Fetch Metadata Request Headers, which means that web applications can better protect users against cross-site request forgery (CSRF), cross-site leaks (XS-Leaks), and speculative cross-site execution side channel attacks (such as Spectre). With the newly introduced feature, web application servers can distinguish between same-origin and…
Adobe: Critical Flaws in Reader, Acrobat, Illustrator
The Mountain View, Calif.-based Adobe urged Windows and macOS users to treat the PDF Reader patch with the utmost priority, because the flaws expose machines to remote code execution and privilege escalation attacks. The Acrobat and Reader update patches at least 19 documented vulnerabilities, all carrying the “critical” or “important” security ratings. ”Successful exploitation could…
Mitsubishi Electric Patches Vulnerabilities in Air Conditioning Systems
Advisories describing the vulnerabilities were published this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Mitsubishi Electric. SecurityWeek has also obtained additional information from people involved in the discovery and disclosure of these flaws. One advisory describes a critical vulnerability that exposes the affected control systems to unauthenticated XML external entity injection…
CISA Releases Analysis of 2020 Risk and Vulnerability Assessments
Designed to assess the effectiveness of Federal Civilian Executive Branch (FCEB), Critical Infrastructure (CI), and State, Local, Tribal, and Territorial (SLTT) stakeholders in identifying and resolving network vulnerabilities, the RVAs revealed that phishing links were the most successful technique for initial access. CISA conducted a total of 37 RVAs, leveraging the MITRE ATT&CK framework to…
