security flaws Archives

AppWizard

August 22, 2025

Android VPN Apps Linked to Chinese Co (Qihoo 360) Tied to PRC

Recent investigations by Arizona State University and Citizen Lab have revealed that several popular Android VPN applications are linked to entities in mainland China and Hong Kong, raising security concerns. These apps, which have millions of downloads, share ownership and infrastructure, and exhibit significant security flaws, including the collection of location data against privacy policies, outdated encryption methods, and hard-coded passwords that could compromise user traffic. One company manages all VPN servers for a second group of apps, while a third group is vulnerable to connection interference attacks. Notably, these VPN providers are connected to Qihoo 360, a Chinese company flagged as a potential national security threat, with ties to the Chinese military. The Tech Transparency Project reported that millions of Americans have downloaded apps that route internet traffic through Chinese companies, with one in five of the top 100 free VPNs in the U.S. App Store in 2024 being covertly owned by Chinese firms. Some VPNs have targeted younger audiences through social media ads, raising concerns about their marketing strategies. Qihoo 360 has been sanctioned and is on the Commerce Department’s Entity List, emphasizing the national security risks associated with these services. Users are advised to research their VPN providers to avoid affiliations with the Chinese Communist government.

Tech Optimizer

August 18, 2025

Critical PostgreSQL Vulnerabilities Allow Arbitrary Code Execution During Backup Restoration

The PostgreSQL Global Development Group has released security and maintenance updates for versions 17.6, 16.10, 15.14, 14.19, 13.22, and the third beta of PostgreSQL 18. The updates address three critical vulnerabilities: 1. CVE-2025-8714 (CVSS 8.8) - Allows code injection during dump restoration via pg_dump operations. 2. CVE-2025-8715 (CVSS 8.8) - Enables SQL injection through newline injection in object names during pg_dump. 3. CVE-2025-8713 (CVSS 3.1) - Exposes optimizer statistics data. The update also improves BRIN index performance, logical replication, and resolves WAL segment removal issues. PostgreSQL 13 will reach end-of-life on November 13, 2025. The third beta of PostgreSQL 18 is in development, with general availability expected in September-October 2025. Administrators should perform reindexing after the upgrade if using specific BRIN indexes.

Tech Optimizer

August 18, 2025

Critical PostgreSQL Vulnerabilities Allow Arbitrary Code Injection During Restoration

The PostgreSQL Global Development Group has released emergency security updates for versions 13 through 17 to address three critical vulnerabilities that could allow attackers to execute arbitrary code during database restoration processes. The vulnerabilities are tracked as CVE-2025-8714, CVE-2025-8715, and CVE-2025-8713, with CVE-2025-8714 and CVE-2025-8715 both rated with a CVSS score of 8.8. CVE-2025-8714 allows malicious superusers to inject arbitrary code during restoration via the pg_dump utility, while CVE-2025-8715 exploits improper neutralization of newlines in object names to trigger code execution. CVE-2025-8713, with a CVSS score of 3.1, permits unauthorized access to restricted data within optimizer statistics. The fixed PostgreSQL versions are 17.6, 16.10, 15.14, 14.19, and 13.22, released on August 14, 2025. Organizations are advised to upgrade immediately and implement strict access controls.

Winsage

August 15, 2025

Microsoft patches more than 100 Windows security flaws – update your PC now

Microsoft's August Patch Tuesday update addresses 107 vulnerabilities in Windows, including 13 critical ones. It affects all current versions of Windows, including Windows 10, Windows 11, and Windows Server. The update fixes security issues in components like File Explorer, Remote Desktop, and Hyper-V, as well as bugs in Microsoft Office, Edge, and Teams. Nine critical vulnerabilities involve remote code execution. One vulnerability, CVE-2025-53779, is a zero-day flaw in the Windows Kerberos authentication system that could grant domain administrator privileges if exploited. The update also introduces new features, including a revamped error screen called the Black Screen of Death and Quick Machine Recovery for troubleshooting boot failures. Users can check for the update in the Windows Update section of Settings.

Winsage

August 14, 2025

Microsoft fixed 100+ security flaws in Windows and Office this month

Microsoft has addressed 67 vulnerabilities in its supported Windows versions, including Windows 10, Windows 11, and Windows Server. Users on Windows 7 and Windows 8.1 have not received updates for some time. Upgrading to Windows 11 24H2 is recommended for continued protection. Two critical remote code execution (RCE) vulnerabilities are CVE-2025-53766, affecting the Graphics Device Interface API, and CVE-2025-50165, impacting the Windows Graphics Component. Both can be exploited by visiting a specially crafted website. Three critical vulnerabilities in Hyper-V include CVE-2025-48807, which allows code execution from a guest system to the host; CVE-2025-53781, which poses a data leak risk; and CVE-2025-49707, a spoofing vulnerability. Additionally, 12 vulnerabilities in the Routing and Remote Access Service (RRAS) have been addressed, with half classified as RCE vulnerabilities and the other half as data leaks. CVE-2025-53779, affecting Kerberos for Windows Server 2025, could allow an attacker to gain administrator rights under specific conditions, but is classified as medium risk.

Winsage

July 8, 2025

Microsoft Deprecates PowerShell 2.0 in Windows 11 Over Security Flaws

Microsoft has rolled out Windows 11 Insider Preview Build 27891 to the Canary Channel, which includes the removal of Windows PowerShell 2.0. The update features several critical system fixes, including: - Correction of the “Reset this PC” feature under Settings > System > Recovery. - Resolution of an issue affecting the taskbar's acrylic material effect. - Fix for Windows Update downloads that stalled at 2%. - Correction of character rendering problems for languages like Vietnamese and Arabic. Enhancements in File Explorer include a dropdown menu in the address bar that shows the complete folder path. Stability improvements in Settings aim to prevent crashes when accessing microphone properties or Bluetooth settings, although a new known issue may cause crashes in Settings > System > Power & Battery. Task Manager now features updated CPU utility calculations. The Microsoft Store has been updated to allow users to install apps and games directly from the top featured sections. Known issues include potential loss of Windows Hello PIN on Copilot+ PCs, graphical distortion for Remote Desktop users on Arm64 PCs, and incomplete localization of some features. Transitioning out of the Canary Channel requires a clean installation of Windows 11.

AppWizard

July 7, 2025

Call Of Duty: WWII’s Game Pass PC Version Was Pulled, Reportedly After Hacking Issues

Activision has taken the PC version of Call of Duty: WWII offline shortly after its release on Game Pass due to reports of hacking incidents, specifically Remote Code Execution (RCE) attacks that compromised players' PCs. The decision follows a history of cheating issues in the Call of Duty franchise, particularly in multiplayer modes. Activision announced the game's removal on Twitter on July 4, 2025, while investigations are ongoing, but no timeline for its return has been provided. Meanwhile, other Call of Duty titles like Black Ops 6 and Warzone continue to operate, and Call of Duty: Black Ops 7 is set to launch later this year.

Winsage

April 24, 2025

Windows 11’s crucial new ‘inetpub’ folder is laughably easy to hack

A new folder named "inetpub" appeared on many Windows PCs after an April update, initially thought to be a glitch. Microsoft later stated that this folder was introduced to enhance Windows security by addressing the CVE-2025-21204 vulnerability. However, security researcher Kevin Beaumont revealed that the inetpub folder could allow attackers to bypass critical security updates. Beaumont proposed creating a junction point in the C: directory to prevent the inetpub folder's creation, which would also block the installation of the April update and subsequent security updates, leaving PCs vulnerable. This situation could lead to error messages and failed update rollbacks, with attackers able to exploit these issues without elevated privileges. Beaumont has informed Microsoft about the problem, but a response has not yet been received.

AppWizard

April 18, 2025

Perplexity’s Android App Is Infested With Security Flaws, Report Finds

Perplexity has launched a promotional campaign called “Ask like a millionaire,” offering a million-dollar prize to users who download its app, refer friends, and engage with it during the Super Bowl. However, the Android app is facing scrutiny due to significant security vulnerabilities, including issues that could lead to data theft and account takeovers. A report from Appknox reveals that the app's API can be accessed without restriction, and the code contains hardcoded secrets, making it easy for attackers to create counterfeit versions of the app. The app is also vulnerable to task hijacking, which could allow unauthorized access to sensitive data. Perplexity, founded in 2022, has raised 0 million in venture capital and has over 10 million downloads. The company is exploring partnerships with smartphone manufacturers and has faced criticism for alleged copyright infringement. Security experts advise users to consider removing the app until the issues are resolved.

Winsage

March 4, 2025

CISA tags Windows, Cisco vulnerabilities as actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for U.S. federal agencies to enhance their defenses against cyberattacks targeting vulnerabilities in Cisco and Windows systems. Two specific vulnerabilities have been identified: 1. CVE-2023-20118, which allows attackers to execute arbitrary commands on certain VPN routers, requiring valid administrative credentials for exploitation. This vulnerability can be combined with CVE-2023-20025, an authentication bypass that grants root privileges to attackers. Cisco acknowledged this issue in an advisory in January 2023, with proof-of-concept exploit code publicly available. 2. CVE-2018-8639, a Win32k elevation of privilege flaw that allows local attackers to execute arbitrary code in kernel mode, enabling data manipulation and unauthorized account creation. Microsoft issued a security advisory regarding this vulnerability in December 2018, affecting both client and server platforms. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to secure their networks against these vulnerabilities by March 23, as per the Binding Operational Directive 22-01. Additionally, CISA has alerted federal agencies to another critical vulnerability, CVE-2024-21413, in Microsoft Outlook, requiring patches by February 27.