Running a recent Apache web server version? You probably need to patch it. Now

The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited.

Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great. The latter, a path traversal and file disclosure flaw, is particularly problematic.

The former was reported to Apache's security team on 17 September and can be exploited by an external source to DoS a server with a specially crafted request. It turned up in version 2.4.49, which was released on September 15, and the Apache crew is not aware of any exploit.

VoIP Unlimited hit by outage in wake of DDoS claims • The Register

A British VoIP firm has staggered back to its feet after being smacked with a series of apparent DDoSes a month after suffering a series of sustained attacks it said were delivered by the REvil ransomware gang.

In an update at 11:56 UK time, it said it was "continuing to suffer from large scale DDoS attacks. VoIP Unlimited engineers are continuing to mitigate the impact on services."

Source Tags & Codes

The saga of the Missouri governor reflects a failure by the powerful to embrace curiosity—curiosity encouraged by the HTML language he fails to understand.

blog.ipfire.org - Feature Spotlight: Weaponising IPFire Location to proactively detect Fast Flux setups

Thanks to libloc, the free & open source location database, IPFire comes with an accurate, trustworthy database for mapping IP addresses to countries and Autonomous Systems, and vice versa. This allows us to introduce a new feature: Proactive detection of Fast Flux setups, which are commonly used by ne'er-do-wells for hosting questionable and malicious content on compromised machines around the world, switching from one infected PC, IoT device, or router to another within minutes.

To the best of our knowledge, this is a unique feature. Contrary to other security mechanisms such as AV scanners, which are often lagging behind, it detects malware, phishing, C&C servers and other nefarious things proactively - before any threat intelligence source in the world even knows about them. Even better, measurements done so far indicate it comes with a near-zero false positive rate in productive environments.1

A class of its own, CNCF & Linux Foundation Kubernetes exam [Ed: Adrian Bridgwater publishing spam for Zemlin now over in ComputerWeekly… real journalism is dead. It’s all sponsored.]

KubeCon 2021: New Kubernetes Certificate and the future of Kubernetes - Market Research Telecast

The CNCF, the foundation under the umbrella of the Linux Foundation, which is responsible for the administration of the Kubernetes source code, has the KubeCon North America opened and welcomed visitors again after two years. In autumn 2019, users and developers of Kubernetes and cloud native technologies from their environment met for the last time on site at KubeCon & CloudNativeCon in the USA. The following European edition 2020 at the end of March took place via live streams from living rooms.

Citrix has built a browser, and lost a CEO

According to a regulatory filing, in early October, the company's board appointed Robert M. Calderoni as interim CEO, after David Henshall stepped down from the role.

User locked out of Microsoft account by MFA bug, complains of customer-hostile support • The Register [Ed: By Microsoft Tim]

Konstantin Gizdov, an IT professional, was locked out of his Microsoft account by a bug in the company's Multi-Factor Authentication (MFA), but says support refused to acknowledge the bug or recover his account.

Gizdov is founder of KGE Consultancy Ltd in Edinburgh and an Arch Linux Trusted User.

His problems began when he received an email informing him that his Microsoft account had been renamed. "I immediately clicked on the 'That was not me' button," he said in a post, after which he managed to contact support.

Apple patches 'actively exploited' iPhone zero-day with iOS 15.0.2 update

If you're using an iPhone, install the iOS 15.0.2 update immediately: Apple has warned that the latest OS upgrade patches an "actively exploited" zero-day.

Described as a "memory corruption issue" by Apple, the vuln is present within the IOMobileFrameBuffer kernel extension, used for managing display memory. Malicious applications are said to be capable of triggering an integer overflow in the framebuffer, permitting execution of arbitrary code with kernel privileges.

The bug, publicly tracked as CVE-2021-30883, has not yet been published in full although technical descriptions and proofs of concept are already circulating on security-focused areas of the web.

Podcast: 67% of Orgs Have Been Hit by Ransomware at Least Once [iophk: Windows TCO]

According to Fortinet’s Global State of Ransomware Report 2021 (PDF), released last week, most organizations report that ransomware is their top most concerning cyber-threat. That’s particularly true for respondents in Latin America, Asia-Pacific and Europe-Middle East-Africa, who report that they’re more likely to be victims than their peers in the U.S. or Canada.

Treasury: $590M paid out by victims of ransomware attacks in first half of 2021 [iophk: Windows TCO]

Just over 450 ransomware payments were reported to FinCEN from the beginning of January through end of June, with the amount of suspicious activity reports increasing by 30 percent from last year. The amount paid by victims also massively increased compared to 2020, when $416 million was paid out over the entire year.

Ransomware? No fear, Scott Morrison has a plan. An action plan

Hence the Ransomware Action Plan. It's just like the numerous other plans which Morrison and his ministers have put forth, meaningless jumbles of words, all aimed at that one Saturday before next May when the election will have to be held.

When something that should necessarily have some gravitas starts out like this: "The world has never been more interconnected and our reliance on the internet to fuel Australia’s prosperity and maintain our way of life has never been greater", you just know that it's weapons-grade BS.

Apple to make 10 million fewer iPhones due to microchip shortage

Chip suppliers such as Broadcom and Texas Instruments have reportedly told the smartphone maker that they won't be able to deliver as many units as they said they could.

New Windows 10 KB5006670 update breaks network printing

Short URLs come in handy for cybercrooks

However, there are downsides too. URL shorteners are often used by online fraudsters to trick users into following a link to compromise their systems, swindle money from their bank accounts or even trick them into mine cryptocurrency without the intervention of the user. Recipients could be clicking a malware link (short links) or be directed to a spoofing page where the victim’s sensitive information could be recorded and later used for stealing sensitive data or money.