Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Krebs on Security
Open in Source
#vulnerability#web#mac#windows#microsoft#git#rce#zero_day#blog
Update now! Apple issues patches for older iPhones and other devices

Apple has issued emergency updates that include patches for older iOS devices concerning two actively used zero-days that were patched for iOS 17 last week

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

CVE-2023-35624

Azure Connected Machine Agent Elevation of Privilege Vulnerability

CVE-2023-35625

Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability

CVE-2023-35619

Microsoft Outlook for Mac Spoofing Vulnerability

CVE-2020-28369: Privilege Management for Windows and Mac | BeyondTrust

In BeyondTrust Privilege Management for Windows (aka PMfW) through 5.7, a SYSTEM installation causes Cryptbase.dll to be loaded from the user-writable location %WINDIR%\Temp.

Non-Human Access is the Path of Least Resistance: A 2023 Recap

2023 has seen its fair share of cyber attacks, however there’s one attack vector that proves to be more prominent than others - non-human access. With 11 high-profile attacks in 13 months and an ever-growing ungoverned attack surface, non-human identities are the new perimeter, and 2023 is only the beginning.  Why non-human access is a cybercriminal’s paradise  People always

CVE-2023-49563: storedxss-snmpwebpro1.1

Cross Site Scripting (XSS) in Voltronic Power SNMP Web Pro v.1.1 allows an attacker to execute arbitrary code via a crafted script within a request to the webserver.

CVE-2023-35624: Azure Connected Machine Agent Elevation of Privilege Vulnerability

**According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability?** A non-admin local user who has sufficient permissions to create symbolic links on a Windows computer that has Azure Connected Machine Agent installed (or before the agent is installed) could create links from a directory used by the agent to other privileged files on the computer. If the administrator later installs virtual machine extensions on the machine, those files could be deleted.