The ‘TLStorm’ vulnerabilities, found in APC Smart-UPS products, could allow attackers to cause both cyber and physical damage by taking down critical infrastructure.
Posts tagged "Flaws"
Microsoft 365 may finally have sorted out one of the most irritating aspects of using its web apps.
Previously, users looking to work across different Microsoft 365 accounts, whether work or personal, had to sign out and then sign back in when they wanted to switch.
Now, a new update looks set to banish this problem by adding account switching for Microsoft 365 web apps, saving huge amounts of time and lowering blood pressure across the platform's global user base.
Microsoft 365 account switching
In its official entry in the Microsoft 365 roadmap, the company notes how the update will simplify working across different accounts going forward.
Users will now be able to sign into multiple work and personal accounts on Microsoft 365 web apps in the same browser, with Microsoft saying they will be able to “seamlessly switch” between accounts without needing to sign out and sign back in again.
The feature is currently in development, but has a predicted release date of April 2022, meaning users could see it within just a few weeks. Upon release, Microsoft says account switching will be generally available to all Microsoft 365 web users across the world.
Microsoft 365 has been pushing hard to attract new customers in recent months as companies around the world look to adapt their technology stack as they gradually return to the office.
The company has aimed to poach customers from Google Workspace or other Microsoft Office alternatives with the promise of cheap deals and more flexibility, especially as some users are unhappy at Google's move to end a free tier of its software.
It has also made several moves to boost the security of Microsoft 365, adding a new layer of email security to make sure all emails sent through Exchange Online will only be delivered through connections that have both authentication and encryption.
The company also allowed Microsoft Defender for Office 365 to customize a new authentication mechanism in a bid to further extend its anti-spoofing protection.
Being plagued with annoying Gmail notifications could soon be a thing of the past if a new feature being tested by Google comes to fruition.
This should mean that users won't get pinged for every new email message they receive if they have Gmail running on a desktop PC somewhere.
The site reported seeing the feature on a test account, where it was advertised in a pop-up alert.
The feature would allow your browser to “detect if you're active or away”, meaning Gmail would be able to identify when a user is actively using the service.
9to5Google notes that it doesn't appear that the service can be enabled or disabled through Gmail settings, but instead has to be accessed through the Google Chrome settings menu itself, potentially meaning it is a closely-linked tool between the company's browser and email platforms.
The tool doesn't appear to be rolling out publicly as of yet, with no sign in the Google support pages, so it may be part of a beta test ahead of a wider launch later this year.
The news comes as Google is in the midst of rolling out a major overhaul for Gmail which brings together Google Chat, Spaces and Meet into a new, integrated view to provide users with a one-stop shop for all their communication needs.
As well as this integrated view, the new Gmail will allow users to view specific app menus in a collapsible panel, and get alerts for new Chat and Space messages through notification bubbles.
Going forward, all Google apps in Gmail will be situated in a single menu on the left of the screen. Users can switch between them by clicking on an app's menu, or point to an icon to see a preview, with the new collapsible panel able to be hidden or displayed with a click at any time.
Google also notes that individual and group chat messages can be accessed from the Chat tab, including opening into a small pop-up window at the bottom of your screen.
Google is currently rolling out the updated Gmail to select users now, with a wider rollout taking place over the next few weeks. Scheduled Release domains will reportedly begin receiving the new look from February 28.
- These are the best online collaboration tools around today
Researchers have found a number of high-security vulnerabilities in third-party driver software – bugs that originated in a library created by network virtualization firm Eltima – that leave about a dozen cloud services used by millions of users worldwide open to privilege-escalation attacks. That includes Amazon WorkSpaces, Accops and NoMachine, among others: all apps that […]
The latest version of Mozilla Firefox is including a welcome security upgrade that the company hopes can keep its browser safe from code-based attacks.
Available now, the desktop and mobile editions of Firefox 95 will come with RLBox technology, which looks to prevent and limit any damage caused by code security flaws or bugs.
The “novel sandboxing tool” will look to make Firefox the most secure browser option around, the company claims.
RLBox was developed by Mozilla alongside researchers at the University of California San Diego and the University of Texas.
The tool uses WebAssembly to isolate potentially buggy code, ensuring no possible infections or flaws are able to launch or execute without the user knowing.
Mozilla notes that although all major browsers, including Firefox, run web content in their own sandboxed process, hackers often chain together two vulnerabilities to break through -one to compromise the sandboxed process containing the malicious site, and another to escape the sandbox.
This has previously meant having to hoist subcomponents of a browser into a separate process, but this has some limitations – which is where RLBox comes in.
“Rather than hoisting the code into a separate process, we instead compile it into WebAssembly and then compile that WebAssembly into native code,” Mozilla says.
Although not suitable for every component, Mozilla says it is working on expanding the reach of RLBox as much as it can – including to other browsers. The company shipped a prototype to its Mac and Linux users to test in 2020, showing it can operate effectively across different operating systems.
“RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream,” Mozilla's Bobby Holley wrote in a blog post announcing the news.
“This technology opens up new opportunities beyond what’s been possible with traditional process-based sandboxing, and we look forward to expanding its usage and (hopefully) seeing it adopted in other browsers and software projects.”
- Stay secure online with the best firewall options around
Netgear has issued patches to fix security vulnerabilities in two of its routers which can be exploited by an attacker to take full control of the devices remotely.
The two devices that have received patches are the R6400v2 and R6700v3. However, 77 of Netgear's other routers reportedly still remain vulnerable to a zero-day vulnerability that was reported to the company back in January of this year.
The vulnerability, which lies in the HTTPD daemon used to manage the routers, was discovered independently by both Grimm's Adam Nichols and d4rkn3ss from Vietnam's VNPT ISC through the Zero Day Initiative (ZDI).
- Netgear Nighthawk M5 Mobile Router brings 5G to your workplace
- Where to buy a router: work remotely without interruption
- Need additional security? These are the best secure routers
ZDI has released a report that includes some information about the vulnerability while Nichols has written a lengthy blog post describing it in detail, a Proof of Concept (PoC) exploit and even scripts to find vulnerable routers online.
Based on the reports about the vulnerability, affected router models have an HTTPD daemon which does not adequately check the length of data supplied by a user and this allows an attacker to create a buffer overflow when data is copied to a fixed-length variable.
To exploit the flaw in Netgear's routers, an attacker would need to create a specially crafted string capable of executing commands on the device without having to authenticate first. In his blog post, Nichols explained that while stack cookies would normally be able to mitigate this vulnerability, many of Netgear's routers don't use them, saying:
“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 22.214.171.124 and the R6300v2 firmware versions 126.96.36.199-188.8.131.52 use stack cookies. However, later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable.”
If you have Netgear's R6400v2 or R6700v3 router you can download hot-fixes for the vulnerability now but if you have one of the 77 other affected routers, you're out of luck until the company releases patches for them.
- We've also highlighted the best small business routers
Cisco has addressed two high severity vulnerabilities in its Webex video conferencing software that could have allowed unprivileged attackers to run programs and code on vulnerable systems.
The two vulnerabilities, tracked as CVE-2020-3263 and CVE-2020-3342, affect Cisco Webex Meetings Desktop App releases earlier than version 39.5.12. and all Webex users should update their software to the latest version to avoid falling victim to any potential exploits.
In an advisory concerning the arbitrary program execution flaw affecting Webex's Windows client, Cisco provided more details on the vulnerability and explained what an attacker could do to a user's system following a successful exploit, saying:
- Cisco is making Webex even smarter with AI
- Cisco Webex triples capacity and doubles down on security
- Billions will be spent on video conferencing in 2020
“The vulnerability is due to improper validation of input that is supplied to application URLs. The attacker could exploit this vulnerability by persuading a user to follow a malicious URL. A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system.”
Cisco also patched a remote code execution vulnerability in Webex's Mac client that was caused by improper certificate validation on software update files downloaded by the software.
The vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code with the same privileges of the logged in user on macOS. In a separate advisory, Cisco explained how an attacker could exploit the vulnerability, saying:
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update.”
Cisco has since fixed both of these vulnerabilities with the release of version 40.1.0 of Webex for Windows and version 39.5.11 of Webex for Mac. Windows and Mac users can update their Cisco Webex clients by following these instructions while admins can update both versions of the client by following this guide.
- We've also highlighted the best video conferencing software