Search the Community

Microsoft Edge has been updated in the Stable Channel with a couple of security fixes coming from the Chromium project. The Extended Stable Channel also received an update with Chromium and Edge-specific security fixes. In the Stable Channel, Microsoft released version 133.0.3065.82. It includes the following security patches: CVE-2025-0999: Heap buffer overflow in V8 allows remote attackers to exploit heap corruption using special HTML pages (high severity). CVE-2025-1006: Use after free in Network allows remote attackers to exploit heap corruption with web apps (medium severity) CVE-2025-1426: Heap buffer overflow in GPU allows remote attackers to exploit heap corruption using special HTML pages (high severity). Edge users in the Extended Stable Channel, which receives big updates every eight weeks instead of four, have been updated to version 132.0.2957.171. The update contains four Edge-specific security fixes that patch remote code execution vulnerability: CVE-2025-21279, CVE-2025-21283, CVE-2025-21408, and CVE-2025-21342. Like other modern browsers, Microsoft Edge will update itself automatically in the background. However, you can speed things up by heading to edge://settings/help. Speaking of speeding things up, a few days ago, Microsoft announced that more parts of the browser now work much faster thanks to WebUI 2.0. You can learn more about the migration to WebUI 2.0 and its performance improvements here. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487 RIP Matrix | Farewell my friend

QNAP has fixed six rsync vulnerabilities that could let attackers gain remote code execution on unpatched Network Attached Storage (NAS) devices. Rsync is an open-source file synchronization tool that supports direct file syncing via its daemon, SSH transfers via SSH, and incremental transfers that save time and bandwidth. It's widely used by many backup solutions like Rclone, DeltaCopy, and ChronoSync, as well as in cloud and server management operations and public file distribution. The flaws are tracked as CVE-2024-12084 (heap buffer overflow), CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal via --inc-recursive option), CVE-2024-12088 (bypass of --safe-links option), and CVE-2024-12747 (symbolic link race condition). QNAP says they affect HBS 3 Hybrid Backup Sync 25.1.x, the company's data backup and disaster recovery solution, which supports local, remote, and cloud storage services. In a security advisory released on Thursday, QNAP said it addressed these vulnerabilities in HBS 3 Hybrid Backup Sync 25.1.4.952 and advised customers to update their software to the latest version. To update the Hybrid Backup Sync installation on your NAS device, you will have to: Log on to QTS or QuTS hero as an administrator. Open App Center and search for HBS 3 Hybrid Backup Sync. Wait for HBS 3 Hybrid Backup Sync to show up in the search results Click Update and then OK in the follow-up confirmation message. These Rsync flaws can be combined to create exploitation chains that lead to remote system compromise. The attackers only require anonymous read access to vulnerable servers. "When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running," warned CERT/CC one week ago when rsync 3.4.0 was released with security fixes. "The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client." A Shodan search shows more than 700,000 IP addresses with exposed rsync servers. However, it's unclear how many of them are vulnerable to attacks exploiting these security vulnerabilities since successful exploitation requires valid credentials or servers configured for anonymous connections. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ RIP Matrix | Farewell my friend

Microsoft has released two updates for the Edge browser. One is available for all users in the Stable Channel, and the other is for those using Edge in the Extended Stable Channel (it receives big updates every eight weeks instead of four). Both updates contain fixes for four high-severity Chromium security vulnerabilities. The update is available under version 131.0.2903.112 (Stable Channel) and 131.0.2903.99 (Extended Stable Channel). Here is what was fixed: CVE-2024-12695: Out-of-bounds write in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVE-2024-12694: Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2024-12693: Out-of-bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVE-2024-12692: Type Confusion in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Microsoft Edge will update itself automatically in the background, but you can always speed things up by navigating to edge://settings/help and force-install available updates. In other Edge news, Microsoft recently shared some interesting stats about the browser and its usage in 2024. According to the company, users participated in over 10 billion conversations with Copilot, saved on average $400 with built-in shopping assistant tools, and over 7 trillion megabytes of memory were saved with the Sleeping Tabs feature. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. 2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts RIP Matrix | Farewell my friend

Apple released emergency security updates to patch three new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 16 zero-days fixed this year. Two bugs were found in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991), enabling attackers to bypass signature validation using malicious apps or gain arbitrary code execution via maliciously crafted webpages. The third one was found in the Kernel Framework, which provides APIs and support for kernel extensions and kernel-resident device drivers. Local attackers can exploit this flaw (CVE-2023-41992) to escalate privileges. Apple fixed the three zero-day bugs in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificate validation issue and through improved checks. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the company revealed in security advisories describing the security flaws. The list of impacted devices encompasses older and newer device models, and it includes: iPhone 8 and later iPad mini 5th generation and later Macs running macOS Monterey and newer Apple Watch Series 4 and later All three zero-days were found and reported by Bill Marczak of the Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group. While Apple has yet to provide additional details regarding the flaws' exploitation in the wild, Citizen Lab and Google Threat Analysis Group security researchers have often disclosed zero-day bugs abused in targeted spyware attacks targeting high-risk individuals, including journalists, opposition politicians, and dissidents. Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), also fixed by Apple in emergency security updates earlier this month and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus commercial spyware. Since the start of the year, Apple has also patched: two zero-days (CVE-2023-37450 and CVE-2023-38606) in July three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May two zero-days (CVE-2023-28206 and CVE-2023-28205) in April and another WebKit zero-day (CVE-2023-23529) in February Source

Yesterday, Microsoft released its Patch Tuesday updates for Windows 10 (KB5030211) and Windows 11(KB5030217/KB5030219). Alongside that, the company has also released dynamic updates (KB5030326 and KB5030327) for Windows 11 versions 21H2 and 22H2, respectively, which are meant to improve the Setup process. These are installed automatically though you can also manually download them. As usual, Microsoft also pushed security updates for its Office products, both 2013 and 2016 editions. The updates patch Excel and Outlook information disclosure vulnerability, spoofing, and more. The full list of updates alongside their knowledge base (KB) articles are given below: Microsoft Office 2016 Product Knowledge Base article title and number Excel 2016 Description of the security update for Excel 2016: September 12, 2023 (KB5002496) Office 2016 Description of the security update for Office 2016: September 12, 2023 (KB5002100) Office 2016 Description of the security update for Office 2016: September 12, 2023 (KB5002457) Office 2016 Description of the security update for Office 2016: September 12, 2023 (KB5002498) Outlook 2016 Description of the security update for Outlook 2016: September 12, 2023 (KB5002499) Word 2016 Description of the security update for Word 2016: September 12, 2023 (KB5002497) Microsoft Office 2013 Product Knowledge Base article title and number Excel 2013 Description of the security update for Excel 2013: September 12, 2023 (KB5002488) Office 2013 Description of the security update for Office 2013: September 12, 2023 (KB5002477) Word 2013 Description of the security update for Word 2013: September 12, 2023 (KB5002483) SharePoint Server Subscription Edition Product Knowledge Base article title and number SharePoint Server Subscription Edition Description of the security update for SharePoint Server Subscription Edition: September 12, 2023 (KB5002474) Microsoft SharePoint Server 2019 Product Knowledge Base article title and number SharePoint Server 2019 Description of the security update for SharePoint Server 2019: September 12, 2023 (KB5002472) SharePoint Server 2019 Language Pack September 12, 2023, update for SharePoint Server 2019 Language Pack (KB5002471) Microsoft SharePoint Server 2016 Product Knowledge Base article title and number SharePoint Enterprise Server 2016 Description of the security update for SharePoint Enterprise Server 2016: September 12, 2023 (KB5002494) SharePoint Enterprise Server 2016 Language Pack Description of the security update for SharePoint Enterprise Server 2016 Language Pack: September 12, 2023 (KB5002501) Office Online Server Product Knowledge Base article title and number Office Online Server Description of the security update for Office Online Server: September 12, 2023 (KB5002470) You may find more details in the Microsoft support article. Source

Apple has released iOS 16.5.1, iPadOS 16.5.1, macOS 13.4.1 with security fixes for actively exploited vulnerabilities. It has also released an emergency update for older iPhones, Macs and iPads. Apple patches actively exploited vulnerabilities in iOS, macOS, iPadOS and watchOS The first of the 2 critical security issues was a kernel level bug. The issue, which has been tracked as CVE-2023-32434, could have allowed a malicious app to execute arbitrary code with kernel privileges. Apple says the problem affected iPhones and iPads that were running on older versions of operating systems that were released before iOS 15.7 and iPadOS 15.7. The bug patched an integer overflow with improved input validation. The Cupertino company credited three security researchers from Kaspersky; Georgy Kucherin, Leonid Bezvershenko and Boris Larin for finding and reporting the bug to Apple. These zero-day exploits were revealed by the Russian cybersecurity firm's report on Operation Triangulation. The other security issue is related to WebKit, the browser engine used by Safari and other apps. The bug tracked under CVE-2023-32439 was reported by an anonymous researcher. The release notes for the update indicate that the security issue could allow web pages with malware to execute arbitrary code, and that the type confusion issue was addressed with improved checks. The security fix for the kernel level issue mentioned earlier is also included in macOS Big Sur 11.7.8 and macOS Monterey 12.6.7, while the Safari 16.5.1 update ships with a patch for the other WebKit issue (CVE-2023-32439). Source

Apple addressed three new zero-day vulnerabilities exploited in attacks installing Triangulation spyware on iPhones via iMessage zero-click exploits. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7," the company says when describing Kernel and WebKit vulnerabilities tracked as CVE-2023-32434 and CVE-2023-32435. The two security flaws were found and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin. Kaspersky also published a report earlier today with additional details on an iOS spyware component used in a campaign the cybersecurity company tracks as "Operation Triangulation." "The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted," Kaspersky said today. "Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers." Used by U.S. state hackers per FSB claims The attacks started in 2019 and are still ongoing, according to Kaspersky, who reported in early June that some iPhones on its network were infected with previously unknown spyware via iMessage zero-click exploits that exploited iOS zero-day bugs. Kaspersky told BleepingComputer that the attack impacted its Moscow office and employees in other countries. Russia's FSB intelligence and security agency also claimed after Kaspersky's report was published that Apple provided the NSA with a backdoor to help infect iPhones in Russia with spyware. The FSB claimed it found thousands of infected iPhones belonging to Russian government officials and staff from embassies in Israel, China, and NATO member countries. "We have never worked with any government to insert a backdoor into any Apple product and never will," an Apple spokesperson told BleepingComputer. Apple also patched today a WebKit zero-day vulnerability (CVE-2023-32439) reported by an anonymous researcher that can let attackers gain arbitrary code execution on unpatched devices by exploiting a type confusion issue. The company addressed the three zero-days in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1 with improved checks, input validation, and state management. The list of affected devices is quite extensive, as the zero-day affects older and newer models, and it includes: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Macs running macOS Big Sur, Monterey, and Ventura Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE Nine zero-days patched since the start of the year Since the start of the year, Apple has patched a total of 9 zero-day vulnerabilities that were exploited in the wild to compromise iPhones, Macs, and iPads. Last month, the company fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first reported by Google Threat Analysis Group and Amnesty International Security Lab researchers and likely used to install commercial spyware. In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) that were deployed as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws, and abused to deploy mercenary spyware on devices belonging to high-risk targets worldwide. In February, Apple addressed another WebKit zero-day (CVE-2023-23529) exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs. Source

Update for iOS 16, macOS Ventura can be uninstalled if you're having problems. Yesterday, Apple published a new Rapid Security Response update for iOS 16, iPadOS 16, and macOS Ventura to patch yet another actively exploited WebKit code execution bug. But shortly after installation, users began having issues accessing certain websites, and Apple has apparently pulled the update to fix the problem. According to MacRumors, affected sites include Facebook, Instagram, WhatsApp, and Zoom, which began showing warning messages about not being supported following the update. Luckily for anyone who has installed it, Rapid Security Response updates can be removed just as quickly as they were installed; on iOS, navigate to the About page in the Settings app, tap on your iOS version, and then tap “Remove Security Response.” Removing a Rapid Security Response update on an iPhone running iOS 16.5.1. Andrew Cunningham The benefit of Rapid Security Response updates is that they’re small in size and quick to install. The updates Apple has released so far have required a restart on my devices, but total downtime was much less than it was for a typical software update. This is because Apple has stored many Safari and WebKit components outside of the main Signed System Volume (SSV), a tamper-proof read-only volume for most system files that must be mounted separately, patched, and re-sealed every time most system updates are installed. The downside of Rapid Security Response updates is that they may not be tested as thoroughly as some system updates; Apple is currently on its fifth developer betas of iOS 16.6 and macOS 13.5, and both updates have been in testing since mid-May. Though you’ll typically want to install them quickly because the bugs they’re patching tend to be severe, you may occasionally run into problems. After a restart, the OS will let you know that the update has been removed. Andrew Cunningham WebKit vulnerabilities in iOS tend to be especially severe since any app that wants to render web content needs to use a webview powered by the built-in WebKit engine used by Safari. This includes third-party browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, which can’t use their own native rendering engines on iOS or iPadOS the way they can on macOS, Windows, or other platforms. Apple has long maintained that this restriction improves security on the platform. Apple announced the Rapid Security Response feature as part of iOS 16 and macOS Ventura last June but didn't actually start using the feature publicly until a couple of months ago. When contacted for comment, an Apple spokesperson pointed us to this support document, which says that new iOS/iPadOS 16.5.1 (b) and macOS 13.4.1 (b) Rapid Security Response updates will be available to resolve the issues soon. Source

Apple has released a series of Rapid Security Response (RSR) updates to address a new zero-day vulnerability, which is being actively exploited. The bug affects iPhones, Macs and iPads, potentially compromising the security and integrity of these devices. The vulnerability, identified as CVE-2023-37450, was reported by an anonymous security researcher. According to Apple's advisories for iOS and macOS, the company knows the issue is being actively exploited. The recently discovered vulnerability resides in WebKit, which is used by Apple, Mozilla and Google in iOS, and can be exploited by tricking users into visiting web pages containing specially crafted content. This exploit could allow attackers to execute arbitrary code on targeted devices, potentially compromising users' privacy and security. They deliver important security improvements between software updates... They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist "in the wild." Apple highlighted that New Rapid Security Responses are delivered only for the latest iOS, iPadOS, and macOS versions, starting with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1. To secure data and protect against attacks, it strongly recommends that users apply the RSR patches. RSR patches have been introduced as compact updates that address security issues between major software updates on its OSes. They provide critical security fixes to help users address emerging threats on time. In some instances, Apple may give out-of-band security updates to address vulnerabilities actively exploited by hackers. iPhone or iPad: Go to Settings > General > Software Update > Automatic Updates, then make sure that "Security Responses & System Files" is turned on. Mac: Choose the Apple menu > System Settings. Click General in the sidebar, then click Software Update on the right. Click the Show Details button next to Automatic Updates, then make sure that "Install Security Responses and System Files" is turned on. You can check more details about a specific Rapid Security Response in the Apple security patch notes. Source

Today is Microsoft's September 2021 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 60 flaws. Microsoft has fixed 60 vulnerabilities (86 including Microsoft Edge) with today's update, with three classified as Critical, one as Moderate, and 56 as Important. Of the total 86 vulnerabilities (including Microsoft Edge): 27 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 16 Remote Code Execution Vulnerabilities 11 Information Disclosure Vulnerabilities 1 Denial of Service Vulnerabilities 8 Spoofing Vulnerabilities For information about the non-security Windows updates, you can read about today's Windows 10 KB5005565 & KB5005566 cumulative updates. Microsoft fixes Windows MSHTML zero-day Microsoft has released a security update for the Windows MSHTML remote code execution vulnerability tracked as CVE-2021-40444. Last Tuesday, Microsoft disclosed a new zero-day Windows MSHTML remote code execution vulnerability that threat actors actively used in phishing attacks. These attacks distributed malicious Word documents that exploited the CVE-2021-40444 to download and execute a malicious DLL file that installed a Cobalt Strike beacon on the victim's computer. This beacon allows a threat actor to gain remote access to the device to steal files and spread laterally throughout the network. Soon after Microsoft disclosed the vulnerability, threat actors and security researchers began sharing guides on exploiting the vulnerability, which allowed anyone to start using it in attacks, as demonstrated below. With the September 2021 Patch Tuesday updates, Microsoft has released a security update for this vulnerability. As researchers discovered numerous ways to exploit the bug, including a bypass to mitigations, it is not clear if the security update fixes all of the techniques. Two zero-days fixed, with one actively exploited September's Patch Tuesday includes fixes for two zero-day vulnerabilities, with the MSHTML bug actively exploited in the wild. Microsoft classifies a vulnerability as a zero-day if publicly disclosed or actively exploited with no official security updates released. The publicly disclosed, but not actively exploited, zero-day vulnerability is: CVE-2021-36968 - Windows DNS Elevation of Privilege Vulnerability The only actively exploited vulnerability is the Windows MSHTML remote code execution vulnerability, as previously discussed: CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability Recent updates from other companies Other vendors who released updates in July include: Adobe released security updates for two products. Android's September security updates were released last week. Apple released security updates for iOS and macOS yesterday that fix two zero-day vulnerabilities exploited in the wild. One of the vulnerabilities was used to install the NSO Pegasus spyware on activists's devices. Cisco released security updates for numerous products this month. SAP released its September 2021 security updates. The September 2021 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities and released advisories in the September 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here. Tag CVE ID CVE Title Severity Azure Open Management Infrastructure CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability Important Azure Open Management Infrastructure CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability Important Azure Open Management Infrastructure CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability Critical Azure Open Management Infrastructure CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability Important Azure Sphere CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability Important Dynamics Business Central Control CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important Microsoft Accessibility Insights for Android CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability Important Microsoft Edge (Chromium-based) CVE-2021-30606 Chromium: CVE-2021-30606 Use after free in Blink Unknown Microsoft Edge (Chromium-based) CVE-2021-30609 Chromium: CVE-2021-30609 Use after free in Sign-In Unknown Microsoft Edge (Chromium-based) CVE-2021-30608 Chromium: CVE-2021-30608 Use after free in Web Share Unknown Microsoft Edge (Chromium-based) CVE-2021-30607 Chromium: CVE-2021-30607 Use after free in Permissions Unknown Microsoft Edge (Chromium-based) CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability Important Microsoft Edge (Chromium-based) CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability Important Microsoft Edge (Chromium-based) CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability Important Microsoft Edge (Chromium-based) CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important Microsoft Edge (Chromium-based) CVE-2021-30632 Chromium: CVE-2021-30632 Out of bounds write in V8 Unknown Microsoft Edge (Chromium-based) CVE-2021-30610 Chromium: CVE-2021-30610 Use after free in Extensions API Unknown Microsoft Edge (Chromium-based) CVE-2021-30620 Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink Unknown Microsoft Edge (Chromium-based) CVE-2021-30619 Chromium: CVE-2021-30619 UI Spoofing in Autofill Unknown Microsoft Edge (Chromium-based) CVE-2021-30618 Chromium: CVE-2021-30618 Inappropriate implementation in DevTools Unknown Microsoft Edge (Chromium-based) CVE-2021-30621 Chromium: CVE-2021-30621 UI Spoofing in Autofill Unknown Microsoft Edge (Chromium-based) CVE-2021-30624 Chromium: CVE-2021-30624 Use after free in Autofill Unknown Microsoft Edge (Chromium-based) CVE-2021-30623 Chromium: CVE-2021-30623 Use after free in Bookmarks Unknown Microsoft Edge (Chromium-based) CVE-2021-30622 Chromium: CVE-2021-30622 Use after free in WebApp Installs Unknown Microsoft Edge (Chromium-based) CVE-2021-30613 Chromium: CVE-2021-30613 Use after free in Base internals Unknown Microsoft Edge (Chromium-based) CVE-2021-30612 Chromium: CVE-2021-30612 Use after free in WebRTC Unknown Microsoft Edge (Chromium-based) CVE-2021-30611 Chromium: CVE-2021-30611 Use after free in WebRTC Unknown Microsoft Edge (Chromium-based) CVE-2021-30614 Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip Unknown Microsoft Edge (Chromium-based) CVE-2021-30617 Chromium: CVE-2021-30617 Policy bypass in Blink Unknown Microsoft Edge (Chromium-based) CVE-2021-30616 Chromium: CVE-2021-30616 Use after free in Media Unknown Microsoft Edge (Chromium-based) CVE-2021-30615 Chromium: CVE-2021-30615 Cross-origin data leak in Navigation Unknown Microsoft Edge (Chromium-based) CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important Microsoft Edge for Android CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability Moderate Microsoft MPEG-2 Video Extension CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability Important Microsoft Office CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability Important Microsoft Office CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability Important Microsoft Office CVE-2021-38650 Microsoft Office Spoofing Vulnerability Important Microsoft Office CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office Access CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability Important Microsoft Office SharePoint CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability Important Microsoft Office Visio CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability Important Microsoft Office Visio CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Windows Codecs Library CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability Important Microsoft Windows DNS CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability Important Visual Studio CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability Important Visual Studio CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability Important Visual Studio CVE-2021-26437 Visual Studio Code Spoofing Vulnerability Important Windows Ancillary Function Driver for WinSock CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important Windows Ancillary Function Driver for WinSock CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important Windows Authenticode CVE-2021-36959 Windows Authenticode Spoofing Vulnerability Important Windows Bind Filter Driver CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important Windows BitLocker CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability Important Windows Common Log File System Driver CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Common Log File System Driver CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Common Log File System Driver CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Event Tracing CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability Important Windows Event Tracing CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability Important Windows Installer CVE-2021-36962 Windows Installer Information Disclosure Vulnerability Important Windows Installer CVE-2021-36961 Windows Installer Denial of Service Vulnerability Important Windows Kernel CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability Important Windows Key Storage Provider CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability Important Windows MSHTML Platform CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability Important Windows Print Spooler Components CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability Important Windows Print Spooler Components CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability Important Windows Print Spooler Components CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability Important Windows Redirected Drive Buffering CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important Windows Redirected Drive Buffering CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important Windows Redirected Drive Buffering CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Important Windows Redirected Drive Buffering CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important Windows Scripting CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability Critical Windows SMB CVE-2021-36960 Windows SMB Information Disclosure Vulnerability Important Windows SMB CVE-2021-36972 Windows SMB Information Disclosure Vulnerability Important Windows SMB CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability Important Windows Storage CVE-2021-38637 Windows Storage Information Disclosure Vulnerability Important Windows Subsystem for Linux CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important Windows TDX.sys CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability Important Windows Update CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important Windows Win32K CVE-2021-38639 Win32k Elevation of Privilege Vulnerability Important Windows Win32K CVE-2021-36975 Win32k Elevation of Privilege Vulnerability Important Windows WLAN Auto Config Service CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability Critical Windows WLAN Service CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability Important Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws

Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP. November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. Here’s what you need to know about all the important updates released in the past month. Apple iOS and iPadOS 16.1.1 Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. For Mac users, the flaws were addressed by macOS Ventura 13.0.1. The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible. Microsoft Windows Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature. Google Android More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory. The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices. The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings. Google Chrome The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.” Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. Mozilla Firefox November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code. VMWare Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory. A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate. CVE-2022-31687, a broken access control vulnerability, could also allow an adversary with network access to gain administrative access without authenticating. Cisco Cisco has patched 33 security vulnerabilities in its enterprise firewall products, two of which have a high severity rating of 8.6. The first, CVE-2022-20947, is a vulnerability in the dynamic access policies functionality of Cisco Adaptive Security Appliance Software and Firepower Threat Defense software. This could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in denial of service (DoS). Meanwhile, CVE-2022-20946 is an issue in the generic routing encapsulation tunnel decapsulation feature of Cisco Firepower Threat Defense Software that could allow an unauthenticated, remote attacker to cause DoS on an affected device. Citrix November has also seen a security release from enterprise software maker Citrix, which has fixed vulnerabilities in Citrix Gateway and Citrix ADC. CVE-2022-27510 could allow unauthorized access to Gateway user capabilities, while CVE-2022-27513 could enable remote desktop takeover via phishing. CVE-2022-27516 is a user login brute force protection functionality bypass issue. Affected customers of Citrix ADC and Citrix Gateway should install the relevant updated versions as soon as possible, Citrix says on its support page. SAP Software firm SAP has released multiple fixes in its November 2022 Security Patch Day, one of which has a CVSS score of 9.9. CVE-2022-41203 is an issue in the SAP BusinessObjects BI Platform that could allow an authenticated attacker with low privileges to intercept a serialized object in the parameters and substitute it with a malicious one. This could lead to a deserialization of untrusted data vulnerability with the ability to “compromise the confidentiality, integrity, and availability of the system,” SAP said. Drop What You're Doing and Update iOS, Android, and Windows (May require free registration to view)

Apple has released the macOS Ventura 13.0.1, iOS 16.1.1 and iPadOS 16.1.1 for all users. The updates patch two security vulnerabilities in the operating systems. What's new in macOS Ventura 13.0.1, iOS 16.1.1 and iPadOS 16.1.1 The Cupertino company has credited three security researchers of the Google Project Zero team for discovering the vulnerabilities. According to the release notes published on Apple's website, both issues are related to libxml2, which is a library that is used for parsing XML and HTML files. So these vulnerabilities affect other operating systems as well, including Linux distros. The first issue, which has been identified as CVE-2022-40303, could allow a remote user attackers to terminate an app or execute arbitrary code. Apple says it fixed the issue by addressing an integer overflow through improved input validation. The other issue, filed as CVE-2022-40304, could have a similar impact, i.e. an attack can cause an unexpected app termination or remote code execution. The vulnerability was mitigated by improving some checks. You can find the original reports by the security experts here: 1 and 2. Usually, when such vulnerabilities have been exploited by threat actors, Apple mentions it in the security update documentation to educate users about potential risks. These two security issues, however, don't have that warning, which means that no known attacks have been reported. That doesn't mean you should skip the update, macOS 13.0.1 is the first update that has rolled out since macOS Ventura was released a few weeks ago. The firmware build number is 22A400. If you haven't updated to the new operating system yet, you may want to read our previous articles to learn about the new features in macOS 13. For those who are still finding their way around the new System Settings, you can check for updates manually by going to the General > Software Update page. The iOS 16.1.1 update is available for the iPhone 8 and later, while the iPadOS 16.1.1 update is available for all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and the iPad Mini 5th generation and later. Apple is yet to patch the vulnerabilities for devices that are running on iOS 15, iPadOS 15, macOS Big Sur and Monterey. This is not unusual, the company releases security updates for legacy devices a few days after patching the current versions of the operating systems. You can keep an eye on Apple's security updates page to see if an update is available for your iPhone, iPad or Mac. You will also find the release notes for iOS 16.1.1, iPados 16.1.1, along with the change log for macOS 13.0.1 on the same page. I noticed a minor bug in the Settings app's Software Update section, it showed that the macOS 13.0.1 update is about 606 MB in size. But, the actual download size that was reported by the updater was more than double of that, at around 1.46 GB. I haven't come across any other issues in macOS Ventura, and I've been using it since the first Dev build was released. That said, Apple seems to have improved the installation process for the updates, it's noticeably faster now. My MacBook Air was ready to use in a few minutes after a restart to complete the process. That's quite impressive, as it usually took 10-20 minutes even for minor updates to be installed on macOS Monterey. Have you updated your device? Apple releases macOS Ventura 13.0.1, iOS 16.1.1 and iPadOS 16.1.1 to patch two security issues

Microsoft Edge has received an important update in the Stable Channel. It does not contain any new features or visible improvements, but it fixes six security vulnerabilities to make your browsing experience safer. Version 126.0.2592.68 is now available for download with two Edge-specific patches and four Chromium-related fixes for high-severity vulnerabilities. Here are the Chromium-related vulnerabilities that Microsoft Edge 126.0.2592.68 fixes: CVE-2024-6103: Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2024-6102: Out-of-bounds memory access in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2024-6101: Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out-of-bounds memory access via a crafted HTML page. (Chromium security severity: High) CVE-2024-6100: Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) Microsoft Edge will update itself automatically in the background and apply the update upon the next restart. As usual, you can force-update the browser by heading to Menu > Help & Feedback > About Microsoft Edge or the edge://settings/help page. As a reminder, Microsoft released Edge 126 in the Stable Channel earlier this month. The update brought an AI-based theme generator, Copilot summarization notifications, security setting controls in the Microsoft Edge management service, and plenty of various under-the-hood improvements or small fixes. Check out the release notes for Microsoft Edge 126 here. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every single day for many years. 2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Google has released the Android October security updates, addressing 41 vulnerabilities, all ranging between high and critical severity. On the 5th of each month, Google releases the complete security patch for the Android OS which contains both the framework and the vendor fixes for that month. As such, this update also incorporates fixes for the 10 vulnerabilities that were addressed in the Security patch level 2021-10-01, released a couple of days back. The high-severity flaws fixed this month concern denial of service, elevation of privilege, remote code execution, and information disclosure issues. The three critical severity flaws in the set are tracked as: CVE-2021-0870: Remote code execution flaw in Android System, enabling a remote attacker to execute arbitrary code within the context of a privileged process. CVE-2020-11264: Critical flaw affecting Qualcomm’s WLAN component, concerning the acceptance of non-EAPOL/WAPI frames from unauthorized peers received in the IPA exception path. CVE-2020-11301: Critical flaw affecting Qualcomm’s WLAN component, concerning the acceptance of unencrypted (plaintext) frames on secure networks. Critical but unexploited None of the 41 flaws addressed this month have been reported to be under active exploitation in the wild, so there should be no working exploits for them circulating out there. Older devices that are no longer supported with security updates now have an increased attack surface, as some of the vulnerabilities fixed this month are excellent candidates for threat actors to create working exploits in the future. Remember, Android security patches aren’t bound to Android versions, and the above fixes concern all versions from Android 8.1 to Android 11. As such, the OS version isn’t a determining factor in whether or not your device is still supported. If you have confirmed that your device has reached the EOL date, you should either install a third-party Android distribution that still delivers monthly security patches for your model, or replace it with a new one. Android fans have been eagerly waiting for the release of version 12, which was rumored for October 4, 2021, but what they got instead was the source of Android 12 pushed to the Android Open Source Project. This step signifies that the actual release is just around the corner, and OTA upgrade alerts could hit eligible devices, like the Pixel, very soon. Android October patch fixes three critical bugs, 41 flaws in total

Today is Microsoft's January 2022 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 97 flaws. Microsoft has fixed 97 vulnerabilities (not including 29 Microsoft Edge vulnerabilities ) with today's update, with nine classified as Critical and 88 as Important. The number of each type of vulnerability is listed below: 41 Elevation of Privilege Vulnerabilities 9 Security Feature Bypass Vulnerabilities 29 Remote Code Execution Vulnerabilities 6 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities Six zero-days fixed, none actively exploited This month's Patch Tuesday includes fixes for six publicly disclosed zero-day vulnerabilities. The good news is that none of them have been actively exploited in attacks. Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The publicly disclosed vulnerabilities fixes as part of the December 2021 Patch Tuesday are: CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability CVE-2022-21836 - Windows Certificate Spoofing Vulnerability CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability Both the Curl and Libarchive vulnerabilities had already been fixed by their maintainers but the fixes were not added to Windows until today. However, as many of these have public proof-of-concept exploits available, they will likely be exploited by threat actors soon. Recent updates from other companies Other vendors who released updates in January 2022 include: Adobe's January updates are released today. Android's December security updates were released last week. Cisco released security updates for numerous products this month, including Cisco Prime Infrastructure and Cisco Common Services Platform Collector. SAP released its January 2022 security updates. VMWare released fixes for a code execution vulnerability in VMWare Workstation, Fusion, and ESXi. The January 2022 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities and released advisories in the January 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here. Tag CVE ID CVE Title Severity .NET Framework CVE-2022-21911 .NET Framework Denial of Service Vulnerability Important Microsoft Dynamics CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important Microsoft Dynamics CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability Important Microsoft Edge (Chromium-based) CVE-2022-0105 Chromium: CVE-2022-0105 Use after free in PDF Unknown Microsoft Edge (Chromium-based) CVE-2022-0102 Chromium: CVE-2022-0102 Type Confusion in V8 Unknown Microsoft Edge (Chromium-based) CVE-2022-0104 Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE Unknown Microsoft Edge (Chromium-based) CVE-2022-0101 Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks Unknown Microsoft Edge (Chromium-based) CVE-2022-0103 Chromium: CVE-2022-0103 Use after free in SwiftShader Unknown Microsoft Edge (Chromium-based) CVE-2022-0109 Chromium: CVE-2022-0109 Inappropriate implementation in Autofill Unknown Microsoft Edge (Chromium-based) CVE-2022-0110 Chromium: CVE-2022-0110 Incorrect security UI in Autofill Unknown Microsoft Edge (Chromium-based) CVE-2022-0108 Chromium: CVE-2022-0108 Inappropriate implementation in Navigation Unknown Microsoft Edge (Chromium-based) CVE-2022-0106 Chromium: CVE-2022-0106 Use after free in Autofill Unknown Microsoft Edge (Chromium-based) CVE-2022-0107 Chromium: CVE-2022-0107 Use after free in File Manager API Unknown Microsoft Edge (Chromium-based) CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important Microsoft Edge (Chromium-based) CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important Microsoft Edge (Chromium-based) CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important Microsoft Edge (Chromium-based) CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate Microsoft Edge (Chromium-based) CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Important Microsoft Edge (Chromium-based) CVE-2022-0099 Chromium: CVE-2022-0099 Use after free in Sign-in Unknown Microsoft Edge (Chromium-based) CVE-2022-0100 Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API Unknown Microsoft Edge (Chromium-based) CVE-2022-0098 Chromium: CVE-2022-0098 Use after free in Screen Capture Unknown Microsoft Edge (Chromium-based) CVE-2022-0096 Chromium: CVE-2022-0096 Use after free in Storage Unknown Microsoft Edge (Chromium-based) CVE-2022-0097 Chromium: CVE-2022-0097 Inappropriate implementation in DevTools Unknown Microsoft Edge (Chromium-based) CVE-2022-0116 Chromium: CVE-2022-0116 Inappropriate implementation in Compositing Unknown Microsoft Edge (Chromium-based) CVE-2022-0117 Chromium: CVE-2022-0117 Policy bypass in Service Workers Unknown Microsoft Edge (Chromium-based) CVE-2022-0115 Chromium: CVE-2022-0115 Uninitialized Use in File API Unknown Microsoft Edge (Chromium-based) CVE-2022-0113 Chromium: CVE-2022-0113 Inappropriate implementation in Blink Unknown Microsoft Edge (Chromium-based) CVE-2022-0114 Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial Unknown Microsoft Edge (Chromium-based) CVE-2022-0118 Chromium: CVE-2022-0118 Inappropriate implementation in WebShare Unknown Microsoft Edge (Chromium-based) CVE-2022-0111 Chromium: CVE-2022-0111 Inappropriate implementation in Navigation Unknown Microsoft Edge (Chromium-based) CVE-2022-0112 Chromium: CVE-2022-0112 Incorrect security UI in Browser UI Unknown Microsoft Edge (Chromium-based) CVE-2022-0120 Chromium: CVE-2022-0120 Inappropriate implementation in Passwords Unknown Microsoft Exchange Server CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability Important Microsoft Exchange Server CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability Critical Microsoft Exchange Server CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability Important Microsoft Graphics Component CVE-2022-21904 Windows GDI Information Disclosure Vulnerability Important Microsoft Graphics Component CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability Important Microsoft Graphics Component CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability Important Microsoft Graphics Component CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability Important Microsoft Office CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office Excel CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Windows Codecs Library CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability Critical Open Source Software CVE-2021-22947 Open Source Curl Remote Code Execution Vulnerability Critical Role: Windows Hyper-V CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability Important Role: Windows Hyper-V CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability Important Role: Windows Hyper-V CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability Important Role: Windows Hyper-V CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability Important Tablet Windows User Interface CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability Important Windows Account Control CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability Important Windows Active Directory CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability Critical Windows AppContracts API Server CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability Important Windows Application Model CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability Important Windows BackupKey Remote Protocol CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability Important Windows Bind Filter Driver CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important Windows Certificates CVE-2022-21836 Windows Certificate Spoofing Vulnerability Important Windows Cleanup Manager CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability Important Windows Clipboard User Service CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability Important Windows Cluster Port Driver CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability Important Windows Common Log File System Driver CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Common Log File System Driver CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Connected Devices Platform Service CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability Important Windows Cryptographic Services CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important Windows Defender CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability Important Windows Defender CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability Important Windows Devices Human Interface CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability Important Windows Diagnostic Hub CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability Important Windows DirectX CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical Windows DirectX CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability Important Windows DirectX CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical Windows DWM Core Library CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability Important Windows DWM Core Library CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability Important Windows DWM Core Library CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability Important Windows Event Tracing CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability Important Windows Event Tracing CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability Important Windows Geolocation Service CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability Important Windows HTTP Protocol Stack CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability Critical Windows IKE Extension CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability Important Windows IKE Extension CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability Important Windows IKE Extension CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability Important Windows IKE Extension CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability Important Windows IKE Extension CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability Important Windows IKE Extension CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability Important Windows Installer CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability Important Windows Kerberos CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability Important Windows Kernel CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability Important Windows Libarchive CVE-2021-36976 Libarchive Remote Code Execution Vulnerability Important Windows Local Security Authority CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass Important Windows Local Security Authority Subsystem Service CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important Windows Modern Execution Server CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability Important Windows Push Notifications CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability Important Windows RDP CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability Important Windows RDP CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability Important Windows RDP CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability Important Windows Remote Access Connection Manager CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important Windows Remote Access Connection Manager CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important Windows Remote Desktop CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability Important Windows Remote Procedure Call Runtime CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Resilient File System (ReFS) CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important Windows Secure Boot CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability Important Windows Security Center CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability Important Windows StateRepository API CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability Important Windows Storage CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability Important Windows Storage Spaces Controller CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability Important Windows System Launcher CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability Important Windows Task Flow Data Engine CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability Important Windows Tile Data Repository CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability Important Windows UEFI CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important Windows UI Immersive Server CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability Important Windows User Profile Service CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability Important Windows User Profile Service CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability Important Windows User-mode Driver Framework CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability Important Windows Virtual Machine IDE Drive CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability Critical Windows Win32K CVE-2022-21882 Win32k Elevation of Privilege Vulnerability Important Windows Win32K CVE-2022-21876 Win32k Information Disclosure Vulnerability Important Windows Win32K CVE-2022-21887 Win32k Elevation of Privilege Vulnerability Important Windows Workstation Service Remote Protocol CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability Important Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws