patching – Page 6 – WindowsTechs.com

Apple Only Commits to Patching Latest OS Version

Posted on October 31, 2022 by Bruce Schneier

People have suspected this for a while, but Apple has made it official. It only commits to fully patching the latest version of its OS, even though it claims to support older versions.

From ArsTechnica:

In other words, while Apple will provide security-related updates for older versions of its operating systems, only the most recent upgrades will receive updates for every security problem Apple knows about. Apple currently provides security updates to macOS 11 Big Sur and macOS 12 Monterey alongside the newly released macOS Ventura, and in the past, it has released security updates for older iOS versions for devices that can’t install the latest upgrades…

Continue reading Apple Only Commits to Patching Latest OS Version→

Critical Vulnerability in Open SSL

Posted on October 28, 2022 by Bruce Schneier

There are no details yet, but it’s really important that you patch Open SSL 3.x when the new version comes out on Tuesday.

How bad is “Critical”? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable.

It’s likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don’t want happening on your production systems…

Continue reading Critical Vulnerability in Open SSL→

How exactly do security fixes get to the users in PHP?

Posted on October 2, 2022 by somega

I want to understand the process to go from a security bug report to a running system having the bug fix applied. Especially how long it takes from the bug being public until the bug is fixed on the running system. I heard it only takes 1 … Continue reading How exactly do security fixes get to the users in PHP?→

How to check if a certain vulnerability has been fixed with a backport? [migrated]

Posted on September 14, 2022 by Horvath Zeldjinovic

I have a server that runs Ubuntu Server 20.04 LTS. This version of nginx provided by the official repository is 1.18.0, which in turn is vulnerable to CVE-2021-23017. However, the changelog says that the version provided by the Ubuntu repo… Continue reading How to check if a certain vulnerability has been fixed with a backport? [migrated]→

Responsible Disclosure for Cryptocurrency Security

Posted on September 9, 2022 by Bruce Schneier

Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.

Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have an ongoing relationship with the hardware and software providers that protect their funds—nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users won’t be rushing to pay for and install new security patches…

Continue reading Responsible Disclosure for Cryptocurrency Security→

Windows 8.1 displays full-screen warning as it nears its last day of support

Posted on July 14, 2022 by Graham Cluley

Turn on a PC running Microsoft Windows 8.1 and you’re likely to be greeted with a full-screen message warning that the operating system will no longer be supported after 10 January 2023, and – critically – will no longer be receiving any security updates. Continue reading Windows 8.1 displays full-screen warning as it nears its last day of support→

The most common exploit paths enterprises leave open for attackers

Posted on June 9, 2022 by Zeljka Zorz

Exposed version control repositories, leaked secrets in public code repositories, a subdomain vulnerable to takover, exposed Amazon S3 buckets, and Microsoft Exchange Server servers vulnerable to CVE-2021-42321 exploitation are the most common exploit … Continue reading The most common exploit paths enterprises leave open for attackers→

KB Patches not taking effect for CVE-2022-26832: .NET Framework Denial of Service Vulnerability

Posted on June 5, 2022 by Tobie van der Merwe

Rapid 7 has found CVE-2022-26832 on a server running Windows Server 2012 R2 Standard Edition with a French langauge pack installed.
The following is listed as the proof why Rapid 7 thinks the vulnerability exists:

Vulnerable software inst… Continue reading KB Patches not taking effect for CVE-2022-26832: .NET Framework Denial of Service Vulnerability→

Clever — and Exploitable — Windows Zero-Day

Posted on June 1, 2022 by Bruce Schneier

Researchers have reported a still-unpatched Windows zero-day that is currently being exploited in the wild.
Here’s the advisory, which includes a work-around until a patch is available.
Continue reading Clever — and Exploitable — Windows Zero-Day→

S3 Ep84: Government demand, Mozilla velocity, and Clearview fine [Podcast]

Posted on May 27, 2022 by Paul Ducklin

Latest episode – listen now! Continue reading S3 Ep84: Government demand, Mozilla velocity, and Clearview fine [Podcast]→