Patch Tuesday in brief – one 0-day fixed, but no patches for Exchange!

There's a zero-day patch, but it's not for the zero-day you thought.

Serious Security: OAuth 2 and why Microsoft is finally forcing you into it

Microsoft calls it "Modern Auth", though it's a decade old, and is finally forcing Exchange Online customers to switch to it.

S3 Ep103: Scammers in the Slammer (and other stories) [Audio + Text]

Latest episode - listen and learn now (or read and revise, if the written word is your thing)...

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Double-play 0-day in Exchange - what you need to know, and what you can do

WhatsApp “zero-day exploit” news scare – what you need to know

Is WhatsApp currently under active attack by cybercriminals? Is this a clear and current danger? How worried should WhatsApp users be?

Apple patches zero-day holes – even in the brand new iOS 16

Five updates, one upgrade, plus two zero-days. Patch your Macs, iPhones and iPads as soon as you can (again)...

Chrome and Edge fix zero-day security hole – update now!

This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.

Chrome patches 24 security holes, enables “Sanitizer” safety system

24 existing bugs fixed. And, we hope, numerous potential future bugs prevented.

Firefox 104 is out – no critical bugs, but update anyway

Two trust-spoofing bugs were the main culprits this month - but neither one was a zero-day.

Apple patches double zero-day in browser and kernel – update now!

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Zoom for Mac patches critical bug – update now!

There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!

Mild monthly security update from Firefox – but update anyway

You're probably thinking we're going to say, "Don't delay/Do it today"... and that's exactly what we are saying!

8 months on, US says Log4Shell will be around for “a decade or longer”

When it comes to cybersecurity, ask not what everyone else can do for you...

Paying ransomware crooks won’t reduce your legal risk, warns regulator

"We paid the crooks to keep things under control and make a bad thing better"... isn't a valid excuse. Who knew?

S3 Ep89: Sextortion, blockchain blunder, and an OpenSSL bugfix [Podcast + Transcript]

Latest episode - listen and read now! Use our advice to advise your own friends and family... let's all do our bit to stand up to scammers!

Firefox 102 fixes address bar spoofing security hole (and helps with Follina!)

Firefox squashes a bug that helped phishers, and brings its own helping hand to Microsoft's "Follina" saga.

FTC warns of LGBTQ+ extortion scams – be aware before you share!

It's a simple jingle and it's solid advice: "If in doubt, don't give it out!"

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

Lastest epsiode - listen now!

Firefox 101 is out, this time with no 0-day scares (but update anyway!)

After an intriguing month of Firefox releases, here's one with a bit less drama, probably to the collective relief of Mozilla's coders.

Poisoned Python and PHP packages purloin passwords for AWS access

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

That was quick! 48 hours from exploit report to published patch.

Apple patches zero-day kernel hole and much more – update now!

You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.

Firefox out-of-band update to 100.0.1 – just in time for Pwn2Own?

A new point-release of Firefox. Not unusual, but the timing of this one is interesting, with Pwn2Own coming up in a few days.

S3 Ep81: Passwords (still with us!), Github, Firefox at 100, and network worms [Podcast]

Latest episode - listen now!

Firefox hits 100*, fixes bugs… but no new zero-days this month

Despite concerns that some websites might break when Chromium and then Firefox reached version 100, the web still seems to be intact.

Ransomware Survey 2022 – like the Curate’s Egg, “good in parts”

You might not like the headline statistics in this year's ransomware report... but that makes it even more important to take a look!

S3 Ep77: Bugs, busts and old-school PDP-11 hacking [Podcast]

Latest episode - listen now! Cybersecurity news and advice in plain English.

Firefox 99 is out – no major bugs, but update anyway!

Firefox's four-weekly updates just dropped - here's what you need to know.

LAPSUS$ hacks continue despite two hacker suspects in court

Do you know where in your company to report security anomalies? If you receive such reports, do you have an efficient way to process them?

“VMware Spring Cloud Function” Java bug gives instant remote code execution – update now!

Easy unauthenticated remote code execution - PoC code already out

Google Chrome patches mysterious new zero-day bug – update now

CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!

Serious Security: DEADBOLT – the ransomware that goes straight for your backups

Some tips on how to keep your network safe - even (or perhaps especially!) if you think you're safe already.

Apple patches 87 security holes – from iPhones and Macs to Windows

Lots of fixes, with data leakage flaws and code execution bugs patched on iPhones, Macs and even Windows.

S3 Ep73: Ransomware with a difference, dirty Linux pipes, and much more [Podcast + Transcript]

Latest episode - listen now!

“Dirty Pipe” Linux kernel bug lets anyone write to any file

Even read-only files can be written to, leading to a dangerously general purpose elevation-of-privilege attack.

Adafruit suffers GitHub data breach – don’t let this happen to you

Training data stashed in GitHub by mistake... unfortunately, it was *real* data

Firefox patches two actively exploited 0-day holes: update now!

Firefox just published a double-zero-day patch - "remote code execution" combined with "sandbox escape". Update now!

Ransomware with a difference: “Derestrict your software, or else!”

"Change your code to improve cryptomining"... or we'll dump 1TB of stolen secrets.

Did we learn nothing from Y2K? Why are some coders still stuck on two digit numbers?

Calling all website coders: Y2K was then. V1H is now!

S3 Ep71: VMware escapes, PHP holes, WP plugin woes, and scary scams [Podcast + Transcript]

Latest episode - listen now!

French speakers blasted by sextortion scams with no text or links

You'd spot this one a mile away... but what about your friends or family?

Adobe fixes zero-day exploit in e-commerce code: update now!

There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.

Apple zero-day drama for Macs, iPhones and iPads – patch now!

Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...

Microsoft blocks web installation of its own App Installer files

It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.

Linux kernel patches “performance can be harmful” bug in video driver

This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.

Apple fixes Safari data leak (and patches a zero-day!) – update now

That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.

“PwnKit” security bug gets you root on most Linux distros – what to do

An elevation of privilege bug that could let a "mostly harmless" user give themselves a instant root shell

S3 Ep66: Cybercrime busts, wormable Windows, and the crisis of featuritis [Podcast + Transcript]

Latest epsiode - listen now!

Serious Security: Linux full-disk encryption bug fixed – patch now!

Imagine if someone who didn't have your password could sneakily modify data that was encrypted with it.

FTC threatens “legal action” over unpatched Log4j and other vulns

Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory!

S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

“Log4Shell” Java vulnerability – how to safeguard your servers

Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product

Firefox update brings a whole new sort of security sandbox

Firefox 95.0 is out, with the usual security fixes... plus some funky new ones.

S3 Ep60: Exchange exploit, GoDaddy breach and cookies made public [Podcast]

Latest episode - listen now! Solid cybersecurity advice in plain English.

US government securities watchdog spoofed by investment scammers – don’t fall for it!

Those numbers that show up on your phone to tell you who's calling? Treat them as SUGGESTIONS, never as PROOF.

Check your patches – public exploit now out for critical Exchange bug

It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.

Github cookie leakage – thousands of Firefox cookie files uploaded by mistake

Be aware before you share! That's a good rule for developers and techies, just as much as it is for social media addicts.

Apple’s Mail Privacy Protection feature – watch out if you have a Watch!

Apple's "Protect Mail Activity" is a handy privacy enhancement for your messaging habits. As long as you know its limitations...