As sanctioned Russian infosec firm says it has working exploit code Adobe has put out a warning about another critical security bug affecting its Magento/Adobe Commerce product – and IT pros need to install a second patch after an initial update earlier this week failed to fully plug the first one.…

Or you could think of them as a superuser password reset function The snap-confine tool in the Linux world's Snap software packaging system can be potentially exploited by ordinary users to gain root powers, says Qualys.…

Now you see a harmless PNG. Now it's a malicious payload. Look into my eyes A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams.…

Flaw could have let miscreants slide rootkits onto your iDesktop A vulnerability in MacOS that could let a malicious person install rootkits on Apple Macs has been patched, following its discovery and disclosure by Microsoft.…

Mitigation: Don't let randomers from the internet log in to your firewall Updated  A command injection vulnerability exists in Fortinet's management interface for its FortiWeb web app firewall, according to infosec firm Rapid7.…

Patches issued for two CVE-rated vulns Cisco has published patches for critical vulns affecting the web management interface for some of its Small Business Dual WAN Gigabit routers – including a 9.8-rated nasty.…

Now banned from using Tor or VPNs – and 'vanity' handles on social media A British script kiddie who DDoS'd a Labour Party parliamentary candidate's website in the runup to the last general election has been banned from using the Tor browser.…

And it affects 129 models of PC and laptop... or about 30 million computers A chain of four vulnerabilities in Dell's SupportAssist remote firmware update utility could let malicious people run arbitrary code in no fewer than 129 different PCs and laptops models – while impersonating Dell to remotely upload a tampered BIOS.…

Why? It might reveal whistleblowers' names... British infosec accreditation body CREST has declared that it will not be publishing its full report into last year's exam-cheating scandal after all, triggering anger from the cybersecurity community.…

Cockup has since been patched in latest release Mozilla Thunderbird spent the last couple of months saving some users’ OpenPGP keys in plain text – but that’s now been patched, the author of both the bug and the patch fixing it has told The Register.…

Company has a habit of reacting badly to vuln disclosures Updated  A parental webcam targeted at nursery schools was so poorly designed that anyone who downloaded its mobile app gained access to admin credentials, bypassing intended authentication, according to security pros – with one dad saying its creators brushed off his complaints about insecurities six years ago.…

Install your updates pronto If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being "actively exploited" in the older version of Chrome that will also affect other vendors' browsers.…

Probably not used by last year's US government-busting attackers, though As if that supply chain attack wasn't bad enough, SolarWinds has had to patch its Orion software again after eagle-eyed researchers discovered fresh vulnerabilities – including one that can be exploited to achieve remote code execution.…

Department for Education says: 'We believe this is not widespread' Updated  A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware, The Register can reveal.…

But it's not over yet: Next step is Uncle Sam's appeal to London's High Court Accused hacker and WikiLeaks founder Julian Assange should not be extradited to the US to stand trial, Westminster Magistrates' Court has ruled.…

Plus: Yet another UK.gov bod demands end-to-end encryption is broken Tutanota has been served with a court order to backdoor its encrypted email service – a situation founder Matthias Pfau described to The Register as "absurd."…

The Orange One was using a password breached four years previously Three “grumpy old hackers” in the Netherlands managed to access Donald Trump’s Twitter account in 2016 by extracting his password from the 2012 Linkedin hack.…

Inflammatory findings from deadly serious investigation Some 3D printers can be flashed with firmware updates downloaded directly from the internet – and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire.…

CRM biz doesn't 'anticipate any kind of material financial impact' but can't say same for those whose data was nicked "We discovered and stopped a sophisticated attempted ransomware attack," Blackbaud CEO Michael Gianoni has told financial analysts – failing to mention the company simply paid off criminal extortionists to end the attack.…

That's one way of speeding up the tech refresh cycle Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.…

Study finds most A320 pilots shrug, ignore dodgy systems and land safely Airline pilots faced with hacked or spoofed safety systems tend to ignore them – but could cost their airlines big sums of money, an infosec study has found.…

Sir Andrew Parker also claims UK spies are not doing bulk surveillance British spies are once again stipulating that tech companies break their encryption so life is made easier for state-sponsored eavesdroppers.…

NHS working with cops and ICO to determine if patients must be told A Stoke-on-Trent hospital administrator has avoided prison after hacking his NHS trust and helping himself to almost 9,000 heart scan images.…

Learning points, not an instruction manual Black Hat Europe  Faking digital evidence during a cyber attack – planting a false flag – is simple if you know how, as noted infosec veteran Jake Williams told London's Black Hat Europe conference.…

Account-draining malware masterminds charged but remain in motherland US prosecutors have slapped a $5m bounty on the heads of two Russian nationals they claim are part of the malware gang behind the banking trojans ZeuS and Dridex.…

Oracle DBs particularly vulnerable to fake decryptions, say researchers If you're an Oracle database user and are tempted to pay off a Ryuk ransomware infection to get your files back, for pity's sake, don't. The criminals behind it have broken their own decryptor, meaning nobody will be able to unlock files scrambled by the malicious software.…

After report claimed its sales pitches boasted of doing that Israeli spyware firm NSO Group has denied it developed malware that can steal user data from cloud services run by Amazon, Apple, Facebook, Google and Microsoft.…

But just imagine Stuxnet: Consumer Edition Comment  Iran claims that recent surges in electricity demand, leading to blackouts and brownouts, were caused by too many cryptocurrency miners’ power-hungry machines being hooked up to the national grid – though all may not be as it seems.…

You know the drill: Patch and stop using C Cisco Talos researchers have uncovered an SQLite use-after-free() vulnerability that could allow an attacker to, in theory, remotely execute code on an affected device.…

Hapless soul repents 'unintentionally' sharing drone makers privates in repo A Chinese software developer who previously expressed suicidal thoughts has been jailed after putting one of drone company DJI's AES private keys onto Github in plain text.…

Denies wrongdoing, replaced by one-time junior MoD minister Penny Mordaunt Updated  Defence Secretary Gavin Williamson has been sacked from the British government after apparently leaking the news that Blighty isn’t completely banning Huawei from its 5G networks.…

We all want to see hard proof of deliberate espionage. This is absolutely not it A claimed deliberate spying "backdoor" in Huawei routers used in the core of Vodafone Italy's 3G network was, in fact, a Telnet-based remote debug interface.…

Bunch of bugs stomped with version 0.71 Venerable SSH client PuTTY has received a pile of security patches, with its lead maintainer admitting to the The Register that one fixed a "'game over' level vulnerability".…

But ISP won't nuke nuisance without proof of ID Updated  TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago.…