Security

Security researchers have discovered a new Microsoft Office zero-day vulnerability that is being used in attacks to execute malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.

The vulnerability, which has yet to receive a tracking number and is referred to by the infosec community as 'Follina,' is leveraged using malicious Word documents that execute PowerShell commands via the MSDT.

A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.

Whoever is behind these attacks took advantage of recently patched Windows remote code execution vulnerabilities tracked as CVE-2022-24500 and CVE-2022-26809.

Researchers said on Friday that they found a malicious backdoor in a WordPress plugin that gave attackers full control of websites that used the package, which is marketed to schools.

The premium version of School Management, a plugin schools use to operate and manage their websites, has contained the backdoor since at least version 8.9, researchers at website security service Jetpack said in a blog post without ruling out that it had been present in earlier versions. This page from a third-party site shows that version 8.9 was released last August.

Malicious hackers, some believed to be state-backed, are actively exploiting two unrelated vulnerabilities—both with severity ratings of 9.8 out of a possible 10—in hopes of infecting sensitive enterprise networks with backdoors, botnet software, and other forms of malware.

When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range.

NVIDIA has released a security update for a wide range of graphics card models, addressing four high-severity and six medium-severity vulnerabilities in its GPU drivers.

The security update fixes vulnerabilities that can lead to denial of service, information disclosure, elevation of privileges, code execution, etc. The updates have been made available for Tesla, RTX/Quadro, NVS, Studio, and GeForce software products, covering driver branches R450, R470, and R510.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices.

Zero-days are security flaws that the software vendor is unaware of and hasn't yet patched. In some cases, this type of vulnerability may also have publicly available proof-of-concept exploits before a patch arrives or may be actively exploited in the wild.

A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploits public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.

For years, Android’s security and privacy teams have been wrestling the world’s most popular mobile operating system to make it more controllable and updatable while still being open source and easy to deploy. And while scams, malware, and rogue apps are still real threats, the debut of Android 13 at Google’s I/O developer’s conference on Wednesday feels less like triage mode and more like a logical iteration. As Charmaine D'Silva, Android’s director of product management puts it, “This is the release where we bring it all together.”