BetaNews: If you’re still using Windows 7, you need to install this important, free 0-day patch

BetaNews: If you’re still using Windows 7, you need to install this important, free 0-day patch. “Earlier this month a security researcher discovered a local privilege escalation vulnerability in both Windows 7 and Windows Server 2008 R2. There’s no indication that Microsoft will issue a patch even for organizations the paid for extended support, but the vast majority of Windows 7 users will be left vulnerable. Or at least that would be case if it wasn’t for 0patch stepping up to the plate and making a micropatch available for free.”

BetaNews: Google issues patches for two serious Chrome zero-day vulnerabilities

BetaNews: Google issues patches for two serious Chrome zero-day vulnerabilities. “Google’s Project Zero is very quick to point out security flaws in other company’s products, but the search giant is far from being perfect itself. Two recently discovered zero-day vulnerabilities in Chrome have just been fixed with a new patch. CVE-2020-16009 and CVE-2020-16010 are remote code-execution and heap-based buffer overflow flaws respectively and affect both the desktop and Android versions of Google’s web browser.”

Neowin: Google discloses ‘high’ severity security flaw in GitHub

Neowin: Google discloses ‘high’ severity security flaw in GitHub. “The vulnerability has been classified as a ‘high’ severity issue by Google Project Zero. We’ll spare you the nitty-gritty technical details – and you’re free to view them in detail here if you want – but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks.”

PCMag UK: Google Calls Out Windows Zero-Day Vulnerability That Remains Unpatched

PCMag UK: Google Calls Out Windows Zero-Day Vulnerability That Remains Unpatched. “Google has revealed the details on a new zero-day Windows bug that it says is currently being exploited by hackers. The vulnerability, which is yet unnamed, has been classified as CVE-2020-17087. Google’s security outfit Project Zero took to its Chromium repository to post the vulnerability, asking Microsoft to resolve the issue in one week. Microsoft failed to do so, and as such the vulnerability has been published for all to see.”

TechCrunch: Homeland Security issues rare emergency alert over ‘critical’ Windows bug

TechCrunch: Homeland Security issues rare emergency alert over ‘critical’ Windows bug. “The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called ‘Zerologon,’ because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.”

BetaNews: Microsoft fixes multiple actively exploited zero-day vulnerabilities as part of Patch Tuesday

BetaNews: Microsoft fixes multiple actively exploited zero-day vulnerabilities as part of Patch Tuesday. “Microsoft’s monthly Patch Tuesday security updates are always important, but the ones released this week are particularly important. Not only do the fixes address numerous zero-day vulnerabilities, but the security flaws they fix were being actively exploited. In all, Microsoft has plugged 113 CVE-numbered vulnerabilities this month. 17 of these are marked as being critical, and 96 as important.”

BetaNews: Microsoft releases emergency patch for critical SMB vulnerability in Windows 10 and Windows Server

BetaNews: Microsoft releases emergency patch for critical SMB vulnerability in Windows 10 and Windows Server. “Earlier this week, Microsoft inadvertently released details of a critical vulnerability in the SMBv3 protocol in Windows 10 and Windows Server. While there was no fix available at the time, the company did provide suggestions about how to mitigate against attacks. With the information out in the wild, Microsoft was under pressure to get a patch released to customers — and now it has managed to produce such a fix.”

Neowin: Google patches Chrome zero-day vulnerability currently being exploited

Neowin: Google patches Chrome zero-day vulnerability currently being exploited. “Google has released an update for Chrome that patches three security bugs, one of which is a zero-day vulnerability that is currently being exploited. The vulnerability, under the identifier CVE-2020-6418, was discovered by Clement Lecigne, a member of Google’s Threat Analysis Group, on February 18.”

BetaNews: Hacker demonstrates Remote Code Execution exploit for Windows Remote Desktop Gateway

BetaNews: Hacker demonstrates Remote Code Execution exploit for Windows Remote Desktop Gateway. “The exploit takes advantage of the CVE-2020-0609 and CVE-2020-0610 vulnerabilities which have already been shown to make a denial of service attack possible. Now Luca Marcelli has shown how the same vulnerabilities can be exploited in a Remote Code Execution attack.”

Bleeping Computer: Microsoft’s IE Zero-day Fix is Breaking Windows Printing

Bleeping Computer: Microsoft’s IE Zero-day Fix is Breaking Windows Printing. “Unfortunately, the scope of issues being caused by applying this fix is greater than originally thought. Since applying this fix, many users have reported that this fix is also causing printing to fail on HP printers and other USB printers. When users attempt to print they receive I/O errors and the print jobs fail.”

Lifehacker: Block Internet Explorer’s Latest Vulnerability With This Workaround

Lifehacker: Block Internet Explorer’s Latest Vulnerability With This Workaround. “Microsoft disclosed a troublesome vulnerability in Internet Explorer last week, affecting various permutations of Internet Explorer 9, 10, and 11 across Windows 7, 8.1, and Windows 10 (as well as various editions of Windows Server). The bad news is that Microsoft won’t likely patch this problem until February—when the next major batch of security updates hits. Thankfully, there are a few workarounds you can use right now to keep yourself safe from this new remote code execution vulnerability.”

BetaNews: 0patch releases micropatch for Internet Explorer vulnerability — including for Windows 7

BetaNews: 0patch releases micropatch for Internet Explorer vulnerability — including for Windows 7. “At the end of last week, a serious vulnerability was discovered in Internet Explorer, affecting all versions of Windows. Not only is the bug (CVE-2020-0674) being actively exploited, but for Windows 7 users the vulnerability was exposed right after their operating system reached the end of its life. Even for users of newer versions of Windows, and despite the severity of the security flaw, Microsoft said it would not be releasing a patch until February. Stepping in to plug the gap comes 0patch with a free micropatch for all versions of Windows affected by the vulnerability.” Third party patches make me wary (this is not because of 0patch, but just in general) but if you don’t want to wait until February…

The Register: It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild

The Register: It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild. “Microsoft let slip on Friday an advisory detailing an under-attack zero-day vulnerability (CVE-2020-0674) for Internet Explorer. The scripting engine flaw can be exploited to gain remote code execution on a vulnerable machine by way of a specially crafted webpage. The flaw can be mitigated by restricting access to the JavaScript component JScript.dll, and thus far there is no patch available.”

Krebs on Security: Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Krebs on Security: Cryptic Rumblings Ahead of First 2020 Patch Tuesday. “Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.”

Ars Technica: Firefox gets patch for critical zeroday that’s being actively exploited

Ars Technica: Firefox gets patch for critical zeroday that’s being actively exploited. “Mozilla has released a new version of Firefox that fixes an actively exploited zeroday that could allow attackers to take control of users’ computers. In an advisory, Mozilla rated the vulnerability critical and said it was ‘aware of targeted attacks in the wild abusing this flaw.'”