Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo

Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo,

Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems.
The list of the flaws is below –

CVE-2023-22505 (CVSS score: 8.0) – RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and

,

Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems.
The list of the flaws is below –

CVE-2023-22505 (CVSS score: 8.0) – RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and

, ,
https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.html

Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation

Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation,

Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability.
Dubbed CVE-2023-35078, the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as

,

Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability.
Dubbed CVE-2023-35078, the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as

, ,
https://thehackernews.com/2023/07/ivanti-releases-urgent-patch-for-epmm.html

Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs

Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs,

Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.
Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.
« 

,

Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.
Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.
« 

, ,
https://thehackernews.com/2023/07/apple-rolls-out-urgent-patches-for-zero.html

Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks

Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks,

Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and

,

Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and

, ,
https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html

Google Messages Getting Cross-Platform End-to-End Encryption with MLS Protocol

Google Messages Getting Cross-Platform End-to-End Encryption with MLS Protocol,

Google has announced that it intends to add support for Message Layer Security (MLS) to its Messages service for Android and open source implementation of the specification.
« Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform, » Giles Hogben, privacy engineering

,

Google has announced that it intends to add support for Message Layer Security (MLS) to its Messages service for Android and open source implementation of the specification.
« Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform, » Giles Hogben, privacy engineering

, ,
https://thehackernews.com/2023/07/google-messages-getting-cross-platform.html

How to Protect Patients and Their Privacy in Your SaaS Apps

How to Protect Patients and Their Privacy in Your SaaS Apps,

The healthcare industry is under a constant barrage of cyberattacks. It has traditionally been one of the most frequently targeted industries, and things haven’t changed in 2023. The U.S. Government’s Office for Civil Rights reported 145 data breaches in the United States during the first quarter of this year. That follows 707 incidents a year ago, during which over 50 million records were

,

The healthcare industry is under a constant barrage of cyberattacks. It has traditionally been one of the most frequently targeted industries, and things haven’t changed in 2023. The U.S. Government’s Office for Civil Rights reported 145 data breaches in the United States during the first quarter of this year. That follows 707 incidents a year ago, during which over 50 million records were

, ,
https://thehackernews.com/2023/07/how-to-protect-patients-and-their.html

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection,

Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
« This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent, » Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.

,

Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
« This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent, » Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.

, ,
https://thehackernews.com/2023/07/new-openssh-vulnerability-exposes-linux.html

Banking Sector Targeted in Open-Source Software Supply Chain Attacks

Banking Sector Targeted in Open-Source Software Supply Chain Attacks,

Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector.
« These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it, » Checkmarx said in a report published last week.
« The attackers

,

Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector.
« These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it, » Checkmarx said in a report published last week.
« The attackers

, ,
https://thehackernews.com/2023/07/banking-sector-targeted-in-open-source.html

Apple Threatens to Pull iMessage and FaceTime from U.K. Amid Surveillance Demands

Apple Threatens to Pull iMessage and FaceTime from U.K. Amid Surveillance Demands,

Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies.
The development, first reported by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming

,

Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies.
The development, first reported by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming

, ,
https://thehackernews.com/2023/07/apple-threatens-to-pull-imessage-and.html

Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports

Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports,

The recent attack against Microsoft’s email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.
According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and

,

The recent attack against Microsoft’s email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.
According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and

, ,
https://thehackernews.com/2023/07/azure-ad-token-forging-technique-in.html