Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

CVE-2021-37958: Chromium: CVE-2021-37958 Inappropriate implementation in Navigation

*What is the version information for this release?* Microsoft Edge Version Date Released Based on Chromium Version 94.0.992.31 9/24/2021 94.0.4606.54

Microsoft Security Response Center
Open in Source
#Microsoft Edge (Chromium-based)#Security Vulnerability#microsoft
CVE-2021-37957: Chromium: CVE-2021-37957 Use after free in WebGPU

*What is the version information for this release?* Microsoft Edge Version Date Released Based on Chromium Version 94.0.992.31 9/24/2021 94.0.4606.54

CVE-2021-37956: Chromium: CVE-2021-37956 Use after free in Offline use

*What is the version information for this release?* Microsoft Edge Version Date Released Based on Chromium Version 94.0.992.31 9/24/2021 94.0.4606.54

Microsoft Exchange Autodiscover flaw reveals users’ passwords

Researchers were able to harvest hundreds of thousands of credentials thanks to a quirk of the Autodiscover process. Categories: Exploits and vulnerabilities Tags: autodiscover domains exchange microsoft microsoft exchange tlds *( Read more... ( https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/microsoft-exchange-autodiscover-flaw-reveals-users-passwords/ ) )* The post Microsoft Exchange Autodiscover flaw reveals users’ passwords appeared first on Malwarebytes Labs.

CVE-2021-41084: HTTP Semantics

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Microsoft makes a bold move towards a password-less future

Microsoft envisions a password-less future. Password expert Per Thorsheim isn't so sure. Categories: Opinion Tags: 2fa attack targets microsoft passwords per thorsheim *( Read more... ( https://blog.malwarebytes.com/opinion/2021/09/microsoft-makes-a-bold-move-towards-a-password-less-future/ ) )* The post Microsoft makes a bold move towards a password-less future appeared first on Malwarebytes Labs.

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Last updated on October 5, 2021: See revision history located at the end of the post for changes. On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.

CVE-2021-30631: Chromium: CVE-2021-30631 Type Confusion in Blink layout

*What is the version information for this release?* Microsoft Edge Version Date Released Based on Chromium Version 93.0.961.52 9/16/2021 93.0.4577.82

CVE-2021-30630: Chromium: CVE-2021-30630 Inappropriate implementation in Blink

*What is the version information for this release?* Microsoft Edge Version Date Released Based on Chromium Version 93.0.961.52 9/16/2021 93.0.4577.82

CVE-2021-30629: Chromium: CVE-2021-30629 Use after free in Permissions

*What is the version information for this release?* Microsoft Edge Version Date Released Based on Chromium Version 93.0.961.52 9/16/2021 93.0.4577.82