A total of 22 vulnerabilities addressed with the latest Chrome refresh were reported by external researchers, including one critical-severity, 16 high-severity, and five medium-severity issues. There were 12 use-after-free bugs reported externally, impacting Safe Browsing, Site isolation, Web packaging, Omnibox, Printing, Vulkan, Scheduling, Text Input Method Editor, Bookmarks, Optimization Guide, and Data Transfer. The most…

Mike Sentonas, CTO at CrowdStrike, comments, “Frankly put, supply chains are vulnerable, and adversaries are actively researching ways to take advantage of this. We haven’t nearly seen the end of these attacks, and the implications for each one are significant for both the victims and the victims’ customers and partners up and down the chain.”…

Because of the vulnerability – which was addressed in November 2021 – an attacker only needed stolen credentials to access an organization’s Box account and steal sensitive data, provided that the account has SMS-based MFA enabled (which has long been proven insecure). Box, which claims that close to 100,000 companies use its platform, allows users…

Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating. The most important of these issues is CVE-2022-22746, a race condition leading to the bypass of full-screen notification on Windows machines. Next in line is CVE-2022-22743, another fullscreen spoof, this time affecting the browser window. The bug could allow…

The iOS 15.2.1 patch, available for all supported iPhones and iPads, is described simply as a “resource exhaustion issue” that causes the device to hang when processing maliciously crafted HomeKit accessory names. The sudden appearance of the patch comes almost two weeks after researcher Trevor Spiniolas publicly documented the HomeKit bug and warned that it…

The impacted devices include the SMA 200, 210, 400, 410, and 500 edge network access control systems that have the Web Application Firewall (WAF) enabled. The most severe of these vulnerabilities is CVE-2021-20038 (CVSS score of 9.8), an unauthenticated stack-based buffer overflow that could lead to remote code execution (RCE) as the ‘nobody’ user. “The…

Of the 26 security holes fixed in the Windows and macOS versions of Acrobat and Reader, 16 have been assigned a “critical” severity rating (high severity based on their CVSS score), and a majority are memory-related issues that can be exploited for arbitrary code execution. Four of these critical vulnerabilities — CVE-2021-44704 through CVE-2021-44707 —…

“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security. “Only a tiny percentage of downstream companies (reusing the…

Tracked as CVE-2021-22045 (CVSS score of 7.7), the security vulnerability exists in the CD-ROM device emulation function of Workstation, Fusion and ESXi. In an advisory, VMWare said the security defect could be exploited by attackers with access to a virtual machine that has CD-ROM device emulation enabled. An attacker capable of combining the security error…