Firefox 114 is out: No 0-days, but one fascinating “teachable moment” bug

With the right (or wrong, if you're on the right side of the fence) timing...

Serious Security: Verification is vital – examining an OAUTH login bug

What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?

PaperCut security vulnerabilities under active attack – vendor urges customers to patch

If you have the product, but you haven't patched - well, the crooks have now landed, so please don't delay. Do it today...

Windows 11 also vulnerable to “aCropalypse” image data leakage

Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...

Google Pixel phones had a serious data leakage bug – here’s what to do!

What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?

Serious Security: TPM 2.0 vulns – is your super-secure data at risk?

Security bugs in the very code you've been told you must have to improve the security of your computer...

Apple patches are out – old iPhones get an old zero-day fix at last!

Don't delay, especially if you're still running an iOS 12 device... please do it today!

S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]

Tell us in the comments... What's the REAL reason there was no Windows 9? (No theory too far-fetched!)

Microsoft dishes the dirt on Apple’s “Achilles heel” shortly after fixing similar Windows bug

It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.

How to hack an unpatched Exchange server with rogue PowerShell code

Review your servers, your patches and your authentication policies - there's a proof-of-concept out

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Double-play 0-day in Exchange - what you need to know, and what you can do

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

Lastest epsiode - listen now!

Follina gets fixed – but it’s not listed in the Patch Tuesday patches!

We tried it out to make sure, so you don't have to.

You’re invited! Join us for a live walkthrough of the “Follina” story…

Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!

Atlassian announces 0-day hole in Confluence Server – update now!

Zero-day announced - here's what you need to know

S3 Ep85: Now THAT’S what I call a Microsoft Office exploit! [Podcast]

Latest episode - listen now!

Mysterious “Follina” zero-day hole in Office – here’s what to do!

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

That was quick! 48 hours from exploit report to published patch.

RubyGems supply chain rip-and-replace bug fixed – check your logs!

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

Critical cryptographic Java security blunder patched – update now!

Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.

Yet another Chrome zero-day emergency update – patch now!

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.

Google’s monthly Android updates patch numerous “get root” holes

Get the update now... if it's available for your phone. Here's how to check.

Zlib data compressor fixes 17-year-old security bug – patch, errrm, now

This code is venerable! Surely all the bugs must be out by now?

Google Chrome patches mysterious new zero-day bug – update now

CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!

Irony alert! PHP fixes security flaw in input validation code

What's wrong with this sequence? 1. Step into the road 2. Check if it's safe 3. Keep on walki...

Microsoft blocks web installation of its own App Installer files

It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.

Linux kernel patches “performance can be harmful” bug in video driver

This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.

Coronavirus SMS scam offers home PCR testing devices – don’t fall for it!

Free home PCR devices would be technological marvels, and really useful, too. But there aren't any...

“PwnKit” security bug gets you root on most Linux distros – what to do

An elevation of privilege bug that could let a "mostly harmless" user give themselves a instant root shell

Wormable Windows HTTP hole – what you need to know

One bug in the January 2022 Patch Tuesday list is getting lots of attention: "HTTP Protocol Stack Remote Code Execution Vulnerability".

Home routers with NetUSB support could have critical kernel hole

Got a router that supports USB access across the network? You might need a kernel update...

Log4Shell-like security hole found in popular Java SQL database engine H2

"It's Log4Shell, Jim, but not as we know it." How to find and fix a JNDI-based vuln in the H2 Database Engine.

Log4Shell vulnerability Number Four: “Much ado about something”

It's a Log4j bug, and you ought to patch it. But we don't think it's a critical crisis like the last one.

SFW! The Top N Cyber­security Stories of 2021 (for small positive integer values of N)

Happy Holidays! Our Top N stories, all totally SFW!

Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!

The Apache web server just got an update - this one is nothing to do with Log4j!

Log4Shell: The Movie… a short, safe visual tour for work and home

Be happy that your sysadmins are taking one (three, actually!) for the team right now... here's why!

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

Have you ever seen the message "An error occurred"? Even worse, the message "This error cannot occur"? Facts matter!

S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

Log4Shell explained – how it works, why you need to know, and how to fix it

Find out how to deal with the Log4Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!

“Log4Shell” Java vulnerability – how to safeguard your servers

Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product

Check your patches – public exploit now out for critical Exchange bug

It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.

Samba update patches plaintext password plundering problem

When Microsoft itself says STOP USING X, where X is one of its own protocols... we think you should listen.

Microsoft documents “SHROOTLESS” hack patched in latest Apple updates

We'd have called this bug "SHROOTMORE", but naming it wasn't our call.

Listen up 2 – CYBERSECURITY FIRST! How to protect yourself from supply chain attacks

Everyone remembers this year's big-news supply chain attacks on Kaseya and SolarWinds. Sophos expert Chester Wisniewski explains how to control the risk.

Listen up 3 – CYBERSECURITY FIRST! Cyberinsurance, help or hindrance?

Dr Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, takes on the controversial topic of cyberinsurance.

Listen up 4 – CYBERSECURITY FIRST! Purple teaming – learning to think like your adversaries

Michelle Farenci knows her stuff, because she's a cybersecurity practitioner inside a cybersecurity company! Learn why thinking like an attacker makes you a better defender.

Cybersecurity Awareness Month: Listen up – CYBER­SECURITY FIRST!

Fraser Howard of SophosLabs is truly a world expert in fighting malware. Read now, and learn from the best!

Cybersecurity Awareness Month: Building your career

Explore. Experience. Share. How to get into cybersecurity...