BleepingComputer: New Windows zero-day with public exploit lets you become an admin

BleepingComputer: New Windows zero-day with public exploit lets you become an admin. “A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges.”

Microsoft Warns: Another Unpatched PrintNightmare Zero-Day (ThreatPost)

ThreatPost: Microsoft Warns: Another Unpatched PrintNightmare Zero-Day. “One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler. The zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it’s rated as ‘important.’”

Bleeping Computer: Actively exploited bug bypasses authentication on millions of routers

Bleeping Computer: Actively exploited bug bypasses authentication on millions of routers. “Threat actors actively exploit a critical authentication bypass vulnerability impacting home routers with Arcadyan firmware to take them over and deploy Mirai botnet malicious payloads. The vulnerability tracked as CVE-2021-20090 is a critical path traversal vulnerability (rated 9.9/10) in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication.”

Tom’s Guide: Update Google Chrome now to fix this dangerous zero-day flaw

Tom’s Guide: Update Google Chrome now to fix this dangerous zero-day flaw . “Few details are yet available about the zero-day flaw. Google’s Chrome blog post yesterday (July 15) notes that it involves ‘type confusion in V8,’ the JavaScript rendering engine used by Chrome, and that ‘Google is aware of reports that an exploit for CVE-2021-30563 [the flaw’s catalogue number] exists in the wild.’”

How to Get into the Bug-Bounty Biz: The Good, Bad and Ugly (Threatpost)

Threatpost: How to Get into the Bug-Bounty Biz: The Good, Bad and Ugly . “In the past handful of weeks, Apple announced a patch for its MacOS bypass bug and rushed four out-of-band fixes for zero-days under active attack; Chrome’s zero-day was posted on Twitter in mid-April; and of course the Microsoft Exchange zero-day attack is still fresh. Threatpost invited zero-day experts to dig beyond the headlines, including Katie Trimble-Noble, the former DHS official who runs Intel’s bug-bounty program; Greg Ose, who runs GitHub’s bug-bounty program, and James McQuiggan, a security awareness advocate for KnowBe4.”

BetaNews: Update Chrome for Windows, Mac and Linux to protect against a dangerous zero-day vulnerability

BetaNews: Update Chrome for Windows, Mac and Linux to protect against a dangerous zero-day vulnerability. “A serious security vulnerability has been discovered in Chrome, forcing Google to push out an emergency update to the browser. Affecting the Windows, Mac and Linux versions of Chrome, the high severity vulnerability is being tracked as CVE-2021-21148.”

Mashable: Apple just released a security update for your iPhone. Download it now.

Mashable: Apple just released a security update for your iPhone. Download it now.. “According to the tech giant, researchers uncovered multiple vulnerabilities in the software powering iPhones and iPads. And, much to everyone’s consternation, Apple’s also seen evidence that those vulnerabilities ‘may have been actively exploited.’ In other words, hackers — whether they be criminal or government-affiliated — might be using these security holes for their own purposes. “

BetaNews: If you’re still using Windows 7, you need to install this important, free 0-day patch

BetaNews: If you’re still using Windows 7, you need to install this important, free 0-day patch. “Earlier this month a security researcher discovered a local privilege escalation vulnerability in both Windows 7 and Windows Server 2008 R2. There’s no indication that Microsoft will issue a patch even for organizations the paid for extended support, but the vast majority of Windows 7 users will be left vulnerable. Or at least that would be case if it wasn’t for 0patch stepping up to the plate and making a micropatch available for free.”

BetaNews: Google issues patches for two serious Chrome zero-day vulnerabilities

BetaNews: Google issues patches for two serious Chrome zero-day vulnerabilities. “Google’s Project Zero is very quick to point out security flaws in other company’s products, but the search giant is far from being perfect itself. Two recently discovered zero-day vulnerabilities in Chrome have just been fixed with a new patch. CVE-2020-16009 and CVE-2020-16010 are remote code-execution and heap-based buffer overflow flaws respectively and affect both the desktop and Android versions of Google’s web browser.”

Neowin: Google discloses ‘high’ severity security flaw in GitHub

Neowin: Google discloses ‘high’ severity security flaw in GitHub. “The vulnerability has been classified as a ‘high’ severity issue by Google Project Zero. We’ll spare you the nitty-gritty technical details – and you’re free to view them in detail here if you want – but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks.”

PCMag UK: Google Calls Out Windows Zero-Day Vulnerability That Remains Unpatched

PCMag UK: Google Calls Out Windows Zero-Day Vulnerability That Remains Unpatched. “Google has revealed the details on a new zero-day Windows bug that it says is currently being exploited by hackers. The vulnerability, which is yet unnamed, has been classified as CVE-2020-17087. Google’s security outfit Project Zero took to its Chromium repository to post the vulnerability, asking Microsoft to resolve the issue in one week. Microsoft failed to do so, and as such the vulnerability has been published for all to see.”

TechCrunch: Homeland Security issues rare emergency alert over ‘critical’ Windows bug

TechCrunch: Homeland Security issues rare emergency alert over ‘critical’ Windows bug. “The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called ‘Zerologon,’ because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.”

BetaNews: Microsoft fixes multiple actively exploited zero-day vulnerabilities as part of Patch Tuesday

BetaNews: Microsoft fixes multiple actively exploited zero-day vulnerabilities as part of Patch Tuesday. “Microsoft’s monthly Patch Tuesday security updates are always important, but the ones released this week are particularly important. Not only do the fixes address numerous zero-day vulnerabilities, but the security flaws they fix were being actively exploited. In all, Microsoft has plugged 113 CVE-numbered vulnerabilities this month. 17 of these are marked as being critical, and 96 as important.”