Microsoft releases emergency updates to address cropped screengrab privacy flaws
Following the discovery of serious vulnerabilities in the Snipping Tool app for Windows 11 and Snip & Sketch in Windows 10, Microsoft has released out-of-band updates to plug the security holes.
The flaws are similar to the recently discovered aCropalypse bug affecting Pixel mobiles, making it possible to "uncrop" cropped images and potentially expose sensitive information. Having briefly tested updates with Windows Insiders, Microsoft has now made fixes available to all Windows 10 and Windows 11 users.
Taking the risk-based approach to vulnerability patching
As one of the most effective ways to prevent attacks on IT assets, it is universally acknowledged and known that patching vulnerabilities is a critical process. But as the volume of vulnerabilities discovered in the tools we use continues to proliferate -- and the speed at which they are being weaponized increases -- patching is becoming a complex and difficult task for security teams. During the 2021 calendar year alone, more than 20,000 individual vulnerabilities were discovered and announced, and by May 2022, more than 10,000 issues had been released. The number of vulnerabilities being discovered and disclosed is not slowing down, it is accelerating.
While the security community’s ability and attention towards discovering vulnerabilities has matured, the scale of these issues has - in tandem - become overwhelming. So what can organizations do to stay afloat in today’s "sink-or-swim" threat landscape?
Organizations take two months to patch critical vulnerabilities
Organizations are taking nearly two months to remediate critical risk vulnerabilities, with an average mean time to remediate (MTTR) across of 60 days.
A new report from smart vulnerability management firm Edgescan, based on analysis of over 40,000 web application and API assessments, three million network endpoint assessments, and circa 1000 penetration tests, finds high rates of known, patchable vulnerabilities that have working exploits in the wild.
Project Zero finds that Linux developers fix security flaws faster than Apple, Google or Microsoft
Whether Linux distributions are more secure than Windows or macOS is the source of on-going debate, but Google's Project Zero has some interesting findings relating to the patching of security holes.
The security research program at Google has published information relating to security flaws found in software over the course of two years. Between January 2019 and December 2021 the Project Zero team found that Linux developers addresses problems far faster than Apple, Microsoft or Google itself.
