Author: blogmirnet

Take full advantage of the flexibility and scalability of the cloud with a modern cloud-native infrastructure. Read the O’Reilly e-book, Cloud Native Infrastructure with Azure, to learn how to adapt your applications early in the design phase to get the most out of the cloud. Plus, get best practices for how to use, deploy, and maintain cloud-native technology components effectively with Azure.

Read the e-book to learn how to:

• Build and manage cloud-native applications.
• Determine the right technology for different infrastructure design stages.
• Anticipate challenges you may face while managing and operating cloud-native infrastructure and learn about technologies that can help you overcome them.

Go here to register to get the free book.

Join other Software Architects and Technical Decision Makers, Microsoft technical experts, and partners to discuss and learn how to reimagine data strategies for cloud-native, intelligent apps.  This two-day event will offer technical insights, share real-world success stories, and dive into the technical underpinnings of robust data strategies for modern applications built in the cloud. 

Our Azure Cosmos DB team will be visiting the following cities: 

• Dallas: May 31 – June 1 
• Silicon Valley: June 5 – 6 
• Irvine, CA: June 8 – 9 
• Chicago: June 12 – 13 
• Atlanta: June 19 – 20 
• Toronto: June 22 – 23 
• New York, NY: June 26 – 27
   

Your options over the two days include: 

Day & Time	Title	Description
	Leading in the age of Intelligent Apps Strategy Workshop	Get an update from data experts from Microsoft. Use this as an opportunity to ask questions and explore strategies for powering modern apps with scalable and high-performance cloud data using Azure Cosmos DB.
	Azure Cosmos DB for NoSQL technical workshop (2-day workshop)	Join technical experts who will work with you to dive deep into the -how- of building modern apps with cloud-scale data using Azure Cosmos DB. This is a combination of instruction and hands on labs.
	Azure Cosmos DB for PostgreSQL technical workshop	Join technical experts who will work with you to dive deep into the how of building modern apps with cloud-scale data using Azure Cosmos DB. This is a combination of instruction and hands on labs.
	Whiteboarding 1:1 session

This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2.

The security vulnerability in Essential Addons for Elementor

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. The described vulnerability was fixed in version 5.7.2 and assigned CVE-2023-32243.

To read the full story go here

Become a Collaborator on the NCCoE Software Supply Chain and DevOps Security Practices Project

The National Cybersecurity Center of Excellence (NCCoE) has issued a Federal Register Notice (FRN) inviting industry participants and other interested collaborators to participate in the Software Supply Chain and DevOps Security Practices project. This NCCoE DevSecOps project will focus on developing and documenting an applied risk-based approach and recommendations for DevSecOps practices.

There are two ways to join the NCCoE for this project:

• Become an NCCoE Collaborator – Collaborators are members of the project team that work alongside the NCCoE staff to build the demonstration by contributing products, services, and technical expertise.
• Get Started Today – If you are interested in becoming an NCCoE collaborator for the Software Supply Chain and DevOps Security Practices project, first review the requirements identified in the Federal Register Notice. To become a collaborator, visit the project page to see the final project description and request a Letter of Interest (LOI) template–you will then receive a link to download the LOI template. Complete the LOI template and send it to the NCCoE DevSecOps team at [email protected].
• Join our Community of Interest – By joining the NCCoE DevSecOps Community of Interest (COI), you will receive project updates and the opportunity to share your expertise to help guide this project. Request to join our DevSecOps COI by visiting our project page.

If you have any questions, please contact our project team at [email protected].

Project Page 

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Apple is aware of a report that CVE-2023-32367 may have been actively exploited.

Systems Affected

Safari prior to 16.5 iOS prior to 16.5 iPadOS prior to 16.5 watchOS prior to 9.5 tvOS prior to 16.5 macOS Big Sur prior to 11.7.7 macOS Monterey prior to 12.6.6 macOS Ventura prior to 13.4

Risk Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Technical Summary Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

Recommendations

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

References Apple:  https://support.apple.com/en-us/HT213757 https://support.apple.com/en-us/HT213758

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23542  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27931  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27940  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27945  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28191  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28204  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32352  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32354  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32354  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32355  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32357  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32360  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32369  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32372  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32376  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32384  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32386  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32388  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32389  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32390  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32391  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32392  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32395  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32397  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32399  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32400  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32402  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32403  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32404  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32407  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32408  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32409  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32410  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32411  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32414   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32415  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32423

Identity is your first line of defense. And with cyberthreats continually growing in volume and sophistication, identity and access must evolve to be more resilient and effective. Hear about the latest innovations and how to strengthen your defenses at Reimagine secure access with Microsoft Entra. Join this digital event to explore ways to: Provide secure access for any identity to any application or resource across your on-premises and multicloud environment. Keep up with a rapidly expanding and evolving cyberthreat landscape by optimizing your tech stack. Reduce your attack surface while improving experiences for all users—no matter where they are.

Reimagine secure access with Microsoft Entra Tuesday, June 20, 2023 9:00 AM – 10:30 AM Pacific Time (UTC-7) Please register here

WordPress 6.2.1 is now available!

This minor release features 20 bug fixes in Core and 10 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

This release also features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.1 have also been updated.

WordPress 6.2.1 is a short-cycle release. The next major release will be version 6.3 planned for August 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.2.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

• Block themes parsing shortcodes in user generated data; thanks to Liam Gladdy of WP Engine for reporting this issue
• A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
• A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit
• Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
• A path traversal issue via translation files; reported independently by Ramuel Gall and during a third party security audit.

In our continuing effort to improve the Workforce Framework for Cybersecurity (NICE Framework) as a fundamental reference resource, the National Initiative for Cybersecurity Education (NICE) announced on April 18, 2023 updates to NICE Framework Work Role Categories and Work Roles.  The proposed updates are based on feedback from the community during previous calls for comments, during regular engagement with stakeholders, and through consultations with subject matter experts. The updates focus on improving clarity, consistency, and accuracy to increase the usefulness of this resource.  Updates include: Minor changes to Work Role Category names, descriptions, and ordering.  Updates to Work Role names, minor updates to Work Role descriptions, and new Work Role IDs to reflect category updates and remove reference to deprecated Specialty Areas. An overview of the proposed updates is provided in “NICE Framework Work Role Categories and Work Roles: An Introduction and Summary of Proposed Updates”.

Guidelines for Managing the Security of Mobile Devices in the Enterprise: NIST Publishes SP 800-124 Revision 2

Today mobile devices are ubiquitous, and they are often used to access enterprise networks and systems to process sensitive data. NIST Special Publication (SP) 800-124 Revision 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise, assists organizations in managing and securing mobile devices against the ever-evolving threats. To address these threats, this publication describes technologies and strategies that can be used as countermeasures and mitigations.

NIST SP 800-124 Rev. 2 also provides recommendations for secure deployment, use, and disposal of mobile devices throughout the mobile device life cycle. The scope of this publication includes mobile devices, centralized device management, and endpoint protection technologies, while including both organization-provided and personally-owned (bring your own device) deployment scenarios.

Read More

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Wednesday, June 14, 2023 | 10:00 AM – 12:45 PM | (GMT-05:00) Eastern Time (US & Canada) Thursday, June 15, 2023 | 10:00 AM – 12:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >