Patch Your Microsoft Windows and Office: Fortinet Discovers Three Zero-Day Remote Code Execution Vulnerabilities

The Patch Tuesday cycle has begun once again and the team at Fortinet has announced some of the conditions surrounding several of the Windows and Office related patches that have been released by Microsoft.  Please review your environments and patch your systems accordingly.

https://www.fortinet.com/blog/threat-research/microsoft-windows-office-zeroday-remote-code-vulnerabilities.html

Latest Chrome update plugs a zero-day hole

I particularly like the title from the linked article from “The Register” – “Put down the cat, coffee, beer pint, martini, whatever you’re holding, and make sure you’ve updated Chrome (unless you enjoy being hacked)” .  It is imperative that we all patch these types of zero day vulnerabilities, especially once they are active in the wild.  Review and patch accordingly!

https://www.theregister.co.uk/2019/03/07/google_chrome_zero_day/

https://www.welivesecurity.com/2019/03/07/latest-chrome-update-plugs-zero-day-hole/

LastPass password manager “zero-day” bug hits the news

This is a very good, common sense explanation of the “zero-day” vulnerability that has been discussed in the press for the popular password manager LastPass.  I agree that caution is warranted, but I do not believe it is time to wholesale abandon the product or the use of password managers in general.  Watch for the patch and apply as soon as possible.

https://nakedsecurity.sophos.com/2016/07/27/lastpass-password-manager-zero-day-bug-hits-the-news/

Microsoft Zero Day Exposes 100 Companies to PoS Attack

This article is an excellent reminder of why it is very important for retailers to move forward with the implementation of EMV/Chip-Pin card readers and the necessary associated Point-of-Sale software.  Far too many retailers have hardware in place, but that the software to leverage this new technology.

It is also important to remember that value of timely patching of all systems, regardless of the card handling mechanisms in place.

https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/

FBI might have a way to unlock shooter’s iPhone without Apple’s help

I must admit that my first gut reaction to this story was to make a joke about the FBI discovering Google and realizing that there are numerous other ways to extract data from a mobile device without a court order.  That said, there are serious implications to personal security is the FBI has discovered or has been given an iPhone Zero-day that can be exploited in the wild.  Many an ethical and social dilemma arise from this conversation.  I suppose we will have to wait and see.

https://nakedsecurity.sophos.com/2016/03/22/fbi-might-have-a-way-to-unlock-shooters-iphone-without-apples-help/

Google’s Project Zero backs off a bit – will now give up to 14 days’ grace

The debate continues around zero-day vulnerabilities and how they should be reported and addressed.  Google has backed off a bit from their initial strict 90-day for remediation and reporting.  Regardless of which side of this argument you support, the debate is worthwhile and is moving the patch process forward for critical software.

https://nakedsecurity.sophos.com/2015/02/16/googles-project-zero-backs-off-a-bit-will-now-give-up-to-14-days-grace/