Twitter tells users: Pay up if you want to keep using insecure 2FA

Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.

Apple fixes zero-day spyware implant bug – patch now!

Everyone update now! Except for those who don't need to! Or who need to but will only get updates later on, though Apple isn't saying yet!

Password-stealing “vulnerability” reported in KeePass – bug or feature?

Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

Serious Security: The Samba logon bug caused by outdated crypto

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Apple patches are out – old iPhones get an old zero-day fix at last!

Don't delay, especially if you're still running an iOS 12 device... please do it today!

Microsoft dishes the dirt on Apple’s “Achilles heel” shortly after fixing similar Windows bug

It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.

Apple patches everything, finally reveals mystery of iOS 16.1.2

There's an update for everything this time, not just for iOS.

Pwn2Own Toronto: 54 hacks, 63 new bugs, $1 million in bounties

That's a mean average of $15,710 per bug... and 63 fewer bugs out there for crooks and rogues to find.

SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m

Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.

Number Nine! Chrome fixes another 2022 zero-day, Edge patched too

Ninth more unto the breach, dear friends, ninth more.

The CHRISTMA EXEC network worm – 35 years and counting!

"Uh-oh, this viruses-and-worms scene could turn out quite troublesome." If only we'd been wrong...

Serious Security: MD5 considered harmful – to the tune of $600,000

It's not just the hashing, by the way. It's the salting and the stretching, too!

How to hack an unpatched Exchange server with rogue PowerShell code

Review your servers, your patches and your authentication policies - there's a proof-of-concept out

Log4Shell-like code execution hole in popular Backstage dev tool

Good old "string templating", also known as "string interpolation", in the spotlight again...

Dangerous SIM-swap lockscreen bypass – update Android now!

A bit like leaving the front door keys under the doormat...

Emergency code execution patch from Apple – but not an 0-day

Not a zero-day, but important enough for a quick-fire patch to one system library...

Twitter Blue Badge email scams – Don’t fall for them!

That was the week that was...

The OpenSSL security update story – how can you tell what needs fixing?

How to Hack! Finding OpenSSL library files and accurately identifying their version numbers...

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway!

That bated-breath OpenSSL update is out! It's no longer rated CRITICAL, but we advise you to patch ASAP anyway. Here's why...

SHA-3 code execution bug patched in PHP – check your version!

As everyone waits for news of a bug in OpenSSL, here's a reminder that other cryptographic code in your life may also need patching!

Chrome issues urgent zero-day fix – update now!

We've said it before/And we'll say it again/It's not *if* you should patch/It's a matter of *when*. (Hint: now!)

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Turns out that Tuesday's zero-day for iOS 16 is Friday's zero-day for iOS 15...

Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!

Ventura hits the market with 112 patches, Catalina's gone missing, and iPhones and iPads get a critical kernel-level zero-day patch...

Zoom for Mac patches sneaky “spy-on-me” bug – update now!

Hey! That back door isn't supposed to be there at all, let alone propped open...

Dangerous hole in Apache Commons Text – like Log4Shell all over again

Third time unlucky. Time to put your patching boots on again...

Mystery iPhone update patches against iOS 16 mail crash-attack

The problem with crashy messaging apps is that *other people* get to choose if and when to send you messages...

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Double-play 0-day in Exchange - what you need to know, and what you can do

Uber and Rockstar – has a LAPSUS$ linchpin just been busted (again)?

Is this the same suspect as before? Is he part of LAPSUS$? Is this the man who hacked Uber and Rockstar? And, if so, who else?

S3 Ep101: Uber and LastPass breaches – is 2FA all it’s cracked up to be? [Audio + Text]

Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...

Chrome and Edge fix zero-day security hole – update now!

This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.

URGENT! Apple slips out zero-day update for older iPhones and iPads

Patch as soon as you can - that recent WebKit zero-day affecting new iPhones and iPads is apparently being used against older models, too.

Laptop denial-of-service via music: the 1980s R&B song with a CVE!

We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)

Apple patches double zero-day in browser and kernel – update now!

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Zoom for Mac patches critical bug – update now!

There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!

GnuTLS patches memory mismanagement bug – update now!

GnuTLS may well be the most widespread cryptographic toolkit you've never heard of. Learn more...

Critical Samba bug could let anyone become Domain Admin – patch now!

It's a serious bug... but there's a fix for it, so you know exactly what to do!

Facebook 2FA scammers return – this time in just 21 minutes

Last time they arrived 28 minutes after lighting up their fake domain... this time it was just 21 minutes

Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know

It's a bit like Log4J, but for configuration files, not for logging.

S3 Ep90: Chrome 0-day again, True Cybercrime, and a 2FA bypass [Podcast + Transcript]

Listen now! Or read if you prefer...

Google patches “in-the-wild” Chrome zero-day – update now!

Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...

Facebook 2FA phish arrives just 28 minutes after scam domain created

The crooks hit us up with this phishing email less than half an hour after they activated their new scam domain.

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

Lastest epsiode - listen now!

Follina gets fixed – but it’s not listed in the Patch Tuesday patches!

We tried it out to make sure, so you don't have to.

You’re invited! Join us for a live walkthrough of the “Follina” story…

Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!

Atlassian announces 0-day hole in Confluence Server – update now!

Zero-day announced - here's what you need to know

S3 Ep85: Now THAT’S what I call a Microsoft Office exploit! [Podcast]

Latest episode - listen now!

Mysterious “Follina” zero-day hole in Office – here’s what to do!

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

That was quick! 48 hours from exploit report to published patch.

US Government says: Patch VMware right now, or get off our network

Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.

Pwn2Own hacking schedule released – Windows and Linux are top targets

What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?

Firefox out-of-band update to 100.0.1 – just in time for Pwn2Own?

A new point-release of Firefox. Not unusual, but the timing of this one is interesting, with Pwn2Own coming up in a few days.

RubyGems supply chain rip-and-replace bug fixed – check your logs!

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

Critical cryptographic Java security blunder patched – update now!

Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.

Yet another Chrome zero-day emergency update – patch now!

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.

Two different “VMware Spring” bugs at large – we cut through the confusion

Whoever came up with the name "Spring4Shell" didn't help at all... we cut through the Spring Bug confusion

“VMware Spring Cloud Function” Java bug gives instant remote code execution – update now!

Easy unauthenticated remote code execution - PoC code already out

Zlib data compressor fixes 17-year-old security bug – patch, errrm, now

This code is venerable! Surely all the bugs must be out by now?

Google Chrome patches mysterious new zero-day bug – update now

CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!