The Security Group Binarly has disclosed 16 high-severity vulnerabilities in different implementations of UEFI firmware in HP Enterprise devices. The list of affected devices includes Laptops, Desktops, POS (point-of-sale) and edge computing nodes. The vulnerabilities range in severity from 7.5 to 8.8 putting them square in the high-severity range. The discovery also may affect additional manufacturers via a reference code match that has led to AMD’s firmware driver (AgesaSmmSaveMemoryConfig). This AMD reference code means that some vulnerabilities may exist across the entire computing ecosystem.

Linux, often thought of as a more secure alternative to Microsoft, has not had an easy year. We have seen vulnerabilities that affect the iSCSI subsystem, the Extended Berkeley Packet Filter, the Polkit pkexec component bug and now two Kernel bugs. The latest one, dubbed “dirty pipe” It is a method that could allow a “local” user to overwrite read-only files including SUID flies.

Supply chain attacks are always a concern when it comes to device manufacture and distribution. If an attacker can compromise a part of the supply or management chain, they can affect a large part of the market with relatively minimal effort. The SolarWinds supply chain attack is a perfect example of this type of attack that successfully compromised multiple businesses with only one real “attack”. Now security researchers have disclosed a new group of vulnerabilities in PTC’s Axeda software that allow them to attack the devices after distribution.

In early February, rumors about a potential acquisition of Mandiant by Microsoft started to circle the internet. The response was not positive with many feeling that it was allowing the fox to run the chicken coop. Although unpopular the rumor did make sense on a few levels. However, regardless of whether the rumors were true or not, Microsoft is not buying Mandiant; Google is. Yes, Google is scooping up Mandiant for a cool $5.4 Billion.