Microsoft Patch Tuesday: 74 CVEs plus 2 “Exploit Detected” advisories

By Paul Ducklin — August 9^th 2023 at 20:34

74 CVEs, and two "Exploitation Detected" advisories, which are nearly but not quite the same as 0-days. Also, two potential Teams treacheries that you really want to fix.

Naked Security

S3 Ep144: When threat hunting goes down a rabbit hole

By Paul Ducklin — July 20^th 2023 at 14:58

Latest episode - check it out now!

Naked Security

Google Virus Total leaks list of spooky email addresses

By Paul Ducklin — July 18^th 2023 at 23:16

Careful with that file, Eugene!

Naked Security

Microsoft hit by Storm season – a tale of two semi-zero days

By Paul Ducklin — July 18^th 2023 at 20:59

The first compromise didn't get the crooks as far as they wanted, so they found a second one that did...

Naked Security

S3 Ep143: Supercookie surveillance shenanigans

By Paul Ducklin — July 13^th 2023 at 16:48

Latest episode - listen now! (Full transcript inside.)

Naked Security

Microsoft patches four zero-days, finally takes action against crimeware kernel drivers

By Paul Ducklin — July 12^th 2023 at 18:57

Here's a brief reminder to do two things. The first is to patch. The second is to read up why it's a good idea to patch...

Naked Security

S3 Ep139: Are password rules like running through rain?

By Paul Ducklin — June 15^th 2023 at 18:43

Latest episode - listen now! (Full transcript inside.)

Naked Security

Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes

By Paul Ducklin — June 13^th 2023 at 23:32

No zero-days this month, if you ignore the Edge RCE hole patched last week

Naked Security

S3 Ep138: I like to MOVEit, MOVEit

By Paul Ducklin — June 8^th 2023 at 16:56

Backdoors, exploits, and Little Bobby Tables. Listen now! (Full transcript available...)

s3-ep138-1200

Naked Security

Chrome and Edge zero-day: “This exploit is in the wild”, so check your versions now

By Paul Ducklin — June 6^th 2023 at 18:28

Chrome and Edge 0-days patched.

Naked Security

Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram

By Paul Ducklin — April 30^th 2023 at 01:23

These malware peddlers are specifically going after Mac users. The hint's in the name: "Atomic macOS Stealer", or AMOS for short.

Naked Security

S3 Ep132: Proof-of-concept lets anyone hack at will

By Paul Ducklin — April 27^th 2023 at 16:55

When Doug says, "Happy Remote Code Execution Day, Duck"... it's irony. For the avoidance of all doubt :-)

Naked Security

Double zero-day in Chrome and Edge – check your versions now!

By Paul Ducklin — April 24^th 2023 at 19:59

Wouldn't it be handy if there were a single version number to check for in every Chromium-based browser, on every supported platform?

Naked Security

S3 Ep130: Open the garage bay doors, HAL [Audio + Text]

By Paul Ducklin — April 13^th 2023 at 16:54

I'm sorry, Dave. I'm afraid I can't... errr, no, hang on a minute, I can do that easily! Worldwide! Right now!

Naked Security

Patch Tuesday: Microsoft fixes a zero-day, and two curious bugs that take the Secure out of Secure Boot

By Paul Ducklin — April 12^th 2023 at 18:57

Is Secure Boot without the Secure just "Boot"?

Naked Security

S3 Ep128: So you want to be a cybercriminal? [Audio + Text]

By Paul Ducklin — March 30^th 2023 at 19:43

Latest episode - listen now!

Naked Security

Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store

By Paul Ducklin — March 27^th 2023 at 19:59

Microsoft says "successful exploitation requires uncommon user interaction", but it's the innocent and accidental leakage of private data you should be concerned about.

Naked Security

S3 Ep127: When you chop someone out of a photo, but there they are anyway…

By Paul Ducklin — March 23^rd 2023 at 17:59

Listen now - latest episode. Full transcript inside.

Naked Security

Windows 11 also vulnerable to “aCropalypse” image data leakage

By Paul Ducklin — March 22^nd 2023 at 17:59

Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...

Naked Security

S3 Ep 126: The price of fast fashion (and feature creep) [Audio + Text]

By Paul Ducklin — March 16^th 2023 at 17:56

Worried about rogue apps? Unsure about the new Outlook zero-day? Clear advice in plain English... just like old times, with Duck and Chet!

Naked Security

Microsoft fixes two 0-days on Patch Tuesday – update now!

By Paul Ducklin — March 15^th 2023 at 00:06

An email you haven't even looked at yet could be used to trick Outlook into helping crooks to logon as you.

Naked Security

S3 Ep122: Stop calling every breach “sophisticated”! [Audio + Text]

By Paul Ducklin — February 16^th 2023 at 17:46

Latest episode - listen now! (Full transcript inside.)

Naked Security

Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs

By Paul Ducklin — February 14^th 2023 at 22:12

Lots of lovely patches for your Valentine's Day delight. Get 'em as soon as you can...

Naked Security

GitHub code-signing certificates stolen (but will be revoked this week)

By Paul Ducklin — January 31^st 2023 at 11:35

There was a breach, so the bad news isn't great, but the good news isn't too bad...

Naked Security

Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches

By Paul Ducklin — January 11^th 2023 at 00:22

Get 'em while they're hot. And get 'em for the very last time, if you still have Windows 7 or 8.1...

Naked Security

The horror! The horror! NOTEPAD gets tabbed editing (very briefly)

By Paul Ducklin — December 29^th 2022 at 19:59

Is there a special meaning of "don't" that means "go right ahead"?

Naked Security

Microsoft dishes the dirt on Apple’s “Achilles heel” shortly after fixing similar Windows bug

By Paul Ducklin — December 20^th 2022 at 17:59

It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.

Naked Security

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

By Paul Ducklin — December 15^th 2022 at 17:10

Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!

Naked Security

Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware

By Paul Ducklin — December 14^th 2022 at 01:13

Tales of derring-do in the cyberunderground! (And some zero-days.)

Naked Security

S3 Ep112: Data breaches can haunt you more than once! [Audio + Text]

By Paul Ducklin — December 9^th 2022 at 16:46

Breaches, exploits, busts, buffer overflows and bug hunting - entertaining and educational in equal measure.

Naked Security

Number Nine! Chrome fixes another 2022 zero-day, Edge patched too

By Paul Ducklin — December 5^th 2022 at 20:58

Ninth more unto the breach, dear friends, ninth more.

Naked Security

Chrome fixes 8th zero-day of 2022 – check your version now (Edge too!)

By Paul Ducklin — November 28^th 2022 at 19:42

There isn't a rhyme to remind you which months have browser zero-days... you just have to keep your eyes and ears open!

Naked Security

How to hack an unpatched Exchange server with rogue PowerShell code

By Paul Ducklin — November 22^nd 2022 at 19:54

Review your servers, your patches and your authentication policies - there's a proof-of-concept out

Naked Security

S3 Ep108: You hid THREE BILLION dollars in a popcorn tin?

By Paul Ducklin — November 10^th 2022 at 17:26

Patches, busts, leaks and why even low-likelihood exploits can be high-severity risks - listen now!

Naked Security

Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days!

By Paul Ducklin — November 9^th 2022 at 19:58

In all the excitement, we kind of lost track ourselves. Were there six 0-days, or only four?

Naked Security

S3 Ep105: WONTFIX! The MS Office cryptofail that “isn’t a security flaw” [Audio + Text]

By Paul Ducklin — October 20^th 2022 at 18:54

The coolest video game ever! And lots of solid cybersecurity advice - listen now!

pic-1200

Naked Security

Serious Security: Microsoft Office 365 attacked over feeble encryption

By Paul Ducklin — October 14^th 2022 at 16:59

How 2022 is your encryption?

Naked Security

Patch Tuesday in brief – one 0-day fixed, but no patches for Exchange!

By Paul Ducklin — October 12^th 2022 at 16:58

There's a zero-day patch, but it's not for the zero-day you thought.

Naked Security

Serious Security: OAuth 2 and why Microsoft is finally forcing you into it

By Paul Ducklin — October 10^th 2022 at 18:02

Microsoft calls it "Modern Auth", though it's a decade old, and is finally forcing Exchange Online customers to switch to it.

Naked Security

S3 Ep103: Scammers in the Slammer (and other stories) [Audio + Text]

By Paul Ducklin — October 6^th 2022 at 14:43

Latest episode - listen and learn now (or read and revise, if the written word is your thing)...

Naked Security

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

By Paul Ducklin — October 1^st 2022 at 14:05

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

Naked Security

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

By Paul Ducklin — September 30^th 2022 at 18:25

Double-play 0-day in Exchange - what you need to know, and what you can do

Naked Security

S3 Ep97: Did your iPhone get pwned? How would you know? [Audio + Text]

By Paul Ducklin — August 25^th 2022 at 15:37

Latest episode - listen now! (Or read the transcript if you prefer the text version.)

Naked Security

S3 Ep95: Slack leak, Github onslaught, and post-quantum crypto [Audio + Text]

By Paul Ducklin — August 11^th 2022 at 14:34

Latest episode - listen now! (Or read the transcript if you prefer.)

Naked Security

Office macro security: on-again-off-again feature now BACK ON AGAIN!

By Paul Ducklin — July 23^rd 2022 at 01:10

20 years to turn it on, then 20 weeks to turn it off, then just 2 weeks to turn it back on again. That's progress!

Naked Security

S3 Ep91: CodeRed, OpenSSL, Java bugs, Office macros [Audio + Text]

By Paul Ducklin — July 14^th 2022 at 18:47

Latest episode - listen now! Great discussion, technical content, solid advice... all covered in plain English.

Naked Security

That didn’t last! Microsoft turns off the Office security it just turned on

By Paul Ducklin — July 11^th 2022 at 13:27

An Office anti-malware setting that took more than 20 years to arrive... and fewer than 20 weeks to vanish again.

Naked Security

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

By Paul Ducklin — June 16^th 2022 at 16:52

Lastest epsiode - listen now!

Naked Security

Follina gets fixed – but it’s not listed in the Patch Tuesday patches!

By Paul Ducklin — June 15^th 2022 at 01:20

We tried it out to make sure, so you don't have to.

Naked Security

Yet another zero-day (sort of) in Windows “search URL” handling

By Paul Ducklin — June 2^nd 2022 at 19:39

More trouble with special-purpose URLs on Windows.

Naked Security

Mysterious “Follina” zero-day hole in Office – here’s what to do!

By Paul Ducklin — May 30^th 2022 at 23:01

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

Naked Security

Microsoft patches the Patch Tuesday patch that broke authentication

By Paul Ducklin — May 20^th 2022 at 22:35

Remember the good old days when security patches rarely needed patches? Because security patches themlelves were rare enough anyway?

Naked Security

GitHub issues final report on supply-chain source code intrusions

By Paul Ducklin — April 29^th 2022 at 16:15

Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

Naked Security

Yet another Chrome zero-day emergency update – patch now!

By Paul Ducklin — April 16^th 2022 at 00:33

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.

Naked Security

Google announces zero-day in Chrome browser – update now!

By Paul Ducklin — February 15^th 2022 at 19:17

Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"

Naked Security

S3 Ep69: WordPress woes, Wormhole holes, and a Microsoft change of heart [Podcast + Transcript]

By Paul Ducklin — February 10^th 2022 at 01:15

Latest episode - listen now!

Naked Security

At last! Office macros from the internet to be blocked by default

By Paul Ducklin — February 8^th 2022 at 16:34

It's been a long time coming, and we're not there yet, but at least Microsoft Office will be a bit safer against macro malware...

Naked Security

S3 Ep66: Cybercrime busts, wormable Windows, and the crisis of featuritis [Podcast + Transcript]

By Paul Ducklin — January 20^th 2022 at 17:28

Latest epsiode - listen now!

Naked Security

Wormable Windows HTTP hole – what you need to know

By Paul Ducklin — January 12^th 2022 at 16:24

One bug in the January 2022 Patch Tuesday list is getting lots of attention: "HTTP Protocol Stack Remote Code Execution Vulnerability".

Naked Security

Check your patches – public exploit now out for critical Exchange bug

By Paul Ducklin — November 23^rd 2021 at 14:36

It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.