An urgent update has been released by Apple for iOS, iPadOS and macOS Monterey to patch a zero-day vulnerability.

The vulnerability has been tracked as CVE-2022-22620. Upon processing malicious web content on affected devices, attackers can execute arbitrary code.

As per Apple and other security researcher, there is high possibility of active exploitation of this vulnerability by threat actors.

Microsoft has released patches for 48 vulnerabilities with most of them are classified as important including one zero-day, none of the vulnerability is critical in this month update. Even if the exploit code for zero-day (CVE-2022-21989) is available, exploiting the vulnerability is highly complex.

There has been a discovery of a critical vulnerability in a WordPress plugin with over one million installations that could lead to the execution of arbitrary code on a compromised website.

The plugin is known as Essential Add-ons for “Elementor”, the plugin gives WordPress site owner/admin access to over 80 elements and extensions to design and customize pages and posts.

Qualys discovered a local privilege escalation vulnerability in PolitKit's pkexec utility. This vulnerability can give root privileges to local user. PolitKit (PolicyKit) is a system-wide privilege control component used by Unix-like operating systems. Every major distribution of Linux includes the SUID-root program by default.

There is a new Serv-U vulnerability found by Microsoft, related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. The vulnerability tracked as CVE2021-35247 is an input validation vulnerability that could allow attackers to build a query based on given input, and send it over the network without sanitation.

Serv-U, users can be authenticated against an internal LDAP server, such as a Windows domain controller or OpenLDAP serve.

The Desktop Central and Desktop Central MSP platforms of Zoho ManageEngine are affected by a new security flaw, tracked as CVE-2021-44757. 

It is described as an authentication bypass vulnerability, which could allow an attacker to execute unauthorized actions on the affected platform. If exploited, it could allow an attacker to read unauthorized data or write arbitrary data on the server.  

This vulnerability has been fixed on January 17, 2022, and the mitigation is available in the latest versions of Desktop Central and Desktop Central MSP.

Microsoft has released patches for 97 vulnerabilities with nine classified as critical, eighty eight classified as important including six zero-days. Fortunately, none of these (zero-days) vulnerabilities have been actively exploited. Though, public exploit code for two of them (CVE-2022-21919 and CVE-2022-21836) is available.

In Jan 2022 Microsoft has fixed problems of Privilege escalation, Remote Code Execution, Cross-site scripting (XSS), Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing Vulnerabilities. 

A new version of Apache web server (2.4.52) has been released by The Apache Software Foundation to address the Critical and High vulnerabilities, one of which could lead to remote code execution.

It is possible to cause a buffer overflow when parsing multipart content in mod_lua of affected Apache HTTP Server via a carefully crafted request body (r:parsebody() called from Lua scripts) by exploiting vulnerability (CVE-2021-44790).

Adobe has issued security update for December 2021, which address 60 vulnerabilities in 11 products, with 28 classified as Critical.  

Some notable products that are patched in December security update includes- Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush. 

Adobe has fixed problem of cross-site scripting (XSS), arbitrary code execution, remote code execution, and privilege escalation.