Software patching is often thought of as a basic cyber security process. On the surface, it appears to be straightforward: simply apply updates to your systems. But as it turns out, patching is not so straightforward after all, especially in industrial/OT environments. In fact, it is likely the single most...
Patch management in an operational technology (OT)/industrial control system (ICS) setting is full of challenges. From proprietary hardware and software to a lack of staff, inadequate or non-existent testing equipment, and regulatory reporting and system maintenance, many organizations struggle to determine what is...
Microsoft upgraded a vulnerability first discovered in September to "critical" after IBM Security researchers discovered attackers could exploit the flaw to remotely execute code. The latest code execution bug has a broader scope and could affect a wider range of Windows systems than EternalBlue.
Microsoft's last monthly dump of patches for 2022 includes a fix for a zero-day exploited by ransomware hackers to bypass the SmartScreen security mechanism for malware execution. The zero-day hinged on hackers creating a malformed Authenticode signature.
The shortage of cybersecurity professionals in the United States includes a scarcity of expertise in medical device security, says Bill Aerts, senior fellow and managing director of the University of Minnesota's recently launched Center for Medical Device Cybersecurity.
Iranian hackers used Log4Shell to penetrate the network of an unnamed federal agency where they stole passwords and implanted cryptocurrency mining software. Whether the Iranians were acting wholly on Tehran's behalf, on their own behalf, or both, is uncertain.
Microsoft released patches fixing a pair of Exchange vulnerabilities revealed publicly in late September and collectively known as ProxyNotShell. The computing giant assesses with "medium confidence" that state-sponsored hackers have exploited the now-squashed bugs.
The U.K. Information Commissioner levied a nearly $5 million fine against Interserve Group Limited for its lack of security protections in the run-up to a 2020 ransomware attack. The firm kept employee data on servers running obsolete versions of Windows and used outdated antivirus software.
Probe deep enough into a once-obscure subsystem in the Windows operating system called the Common Log File System and you might come out the other end with system privileges. Researchers on Zscaler’s ThreatLabz research team say the root cause of a recent CLFS zero-day resides in base file metadata.
Immersive Labs completed a funding round just weeks after laying off 10% of its workforce to cover more developer languages and safeguard Azure and Google Cloud. The Ten Eleven Ventures-led funding will help Immersive Labs expand its coverage from frontline cybersecurity staff to development teams.
One zero-day down but two Microsoft Exchange zero-days to go in this month's dose of patches from the Redmond, Washington computing giant. Microsoft fixed a COM+ flaw being exploited in the wild but for now is relying on workarounds for two known email server bugs.
Count Log4Shell among Chinese hackers' favorite vulnerabilities, federal agencies say in a compilation of top exploits used by Beijing for state-sponsored cyber theft and espionage. Chinese state-sponsored hacking remains "one of the largest and most dynamic threats," warn the FBI, NSA and CISA.
Chat app WhatsApp patched two memory-related flaw that could be exploited by an attacker as a first step to installing smartphone malware on Android or Apple devices. WhatsApp vulnerabilities can be highly valuable to malicious actors.
A congressional deal will ensure the U.S. Food and Drug Administration can continue collecting fees from medical device manufacturers but at the price of dropping increased cybersecurity mandates for the industry. Requiring manufacturers to patch devices had bipartisan support.