QNAP pulls buggy QTS firmware causing widespread NAS issues

November 22, 2024 at 03:55PM QNAP has withdrawn a problematic firmware update (QTS 5.2.2.2950) following user complaints of connectivity issues and device lockouts. Customers reported errors preventing access to their NAS features. QNAP recommends downgrading to the previous version (5.2.1.2930) to resolve these issues but has not issued a formal statement. ### Meeting Takeaways 1. … Read more

Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

November 18, 2024 at 03:41PM A critical flaw in the Really Simple Security WordPress plug-in, affecting over 4 million sites, allows attackers to bypass authentication and gain administrative access. Rated 9.8 on the CVSS scale, the vulnerability has been patched in version 9.1.2. Users are urged to confirm updates to protect their sites. ### Meeting … Read more

New Windows Themes zero-day gets free, unofficial patches

October 29, 2024 at 04:30PM Free unofficial micropatches are now available for a Windows Themes zero-day vulnerability that allows NTLM credential theft. Discovered by ACROS Security, this issue affects all updated Windows versions. Users can apply these patches through 0patch while awaiting official fixes from Microsoft, which plans to address the problem promptly. ### Meeting … Read more

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

October 22, 2024 at 05:38PM A critical zero-day vulnerability (CVE-2024-44068) in Samsung’s mobile processors allows arbitrary code execution. Discovered in the m2m scaler driver, it received an 8.1 CVSS score and was patched in October 2024. Reported by Google researchers, it includes privilege escalation and anti-forensic measures. **Meeting Takeaways:** 1. **Discovery of Vulnerability**: A zero-day … Read more

SolarWinds critical hardcoded credential bug under active exploit

October 16, 2024 at 04:03PM A critical credential vulnerability in SolarWinds’ Web Help Desk (CVE-2024-28987) allows unauthenticated remote access. Although patched in version 12.8.3 HF2, many instances remain vulnerable. The flaw is exploited by criminals, with significant risks of sensitive data exposure. This is SolarWinds’ second critical bug for the product in two months. ### … Read more

About the security content of tvOS 17.5 – Apple Support

October 15, 2024 at 02:21PM Apple TV’s tvOS 17.5 addresses multiple security vulnerabilities, enhancing memory handling and input validation. Key issues include potential system shutdowns, app terminations, arbitrary code execution, and user data access. Updates are available for Apple TV HD and Apple TV 4K models. ### Meeting Takeaways on tvOS 17.5 Security Updates **Release … Read more

Mozilla fixes Firefox zero-day actively exploited in attacks

October 9, 2024 at 01:38PM Mozilla released an emergency security update for Firefox to fix a critical use-after-free vulnerability (CVE-2024-9680) in Animation timelines, currently exploited in attacks. Affected versions are Firefox 131.0.2, Firefox ESR 115.16.1, and Firefox ESR 128.3.1. Users are urged to upgrade immediately for protection. ### Meeting Takeaways on Mozilla Firefox Security Update … Read more

Broadcom fixes critical RCE bug in VMware vCenter Server

September 17, 2024 at 04:00PM Broadcom has addressed a critical VMware vCenter Server vulnerability (CVE-2024-38812) that allows unauthenticated remote attackers to achieve remote code execution through a heap overflow weakness in vCenter’s DCE/RPC protocol. Security patches are available, with the company advising administrators to apply the updates listed in the VMware Security Advisory to protect … Read more

VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest

September 17, 2024 at 03:21PM VMware, owned by Broadcom, released critical-severity patches for two vulnerabilities in its vCenter Server. One vulnerability, CVE-2024-38812, poses a major risk of remote code execution, while the other, CVE-2024-38813, is a privilege escalation vulnerability. The flaws impact vCenter Server and Cloud Foundation versions, and patches are the only known solution. … Read more

Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

September 12, 2024 at 01:12PM GitLab released security updates addressing 17 vulnerabilities, including a critical flaw (CVE-2024-6678) enabling an attacker to run pipeline jobs as an arbitrary user. This is the fourth flaw patched in the past year. Users are urged to apply the patches immediately. There is no evidence of active exploitation, but caution … Read more