Articles about vulnerability

As part of this month's Patch Tuesday, Microsoft has issued a fix for a 17-year-old Windows DNS Server vulnerability. Known as SIGRed and tracked as CVE-2020-1350, the flaw is a serious one that has been assigned a CVSS base score of 10.0.

The vulnerability affects all version of Windows Server and is a wormable remote code execution flaw that requires no user interaction. In addition to issuing a critical patch, Microsoft has also provided details of a workaround for anyone who is unable to deploy the fix immediately

Continue reading →

New research released today from Sepio Systems, a rogue device mitigation firm, reveals a 42 percent jump in the number of devices connected to corporate networks, compared with the pre-COVID-19 period.

Not only has the number of connected devices increased, there are also almost three times the number of different device vendors. This means many unbranded or budget makes of equipment being used that are not commonly found in the enterprise environment.

Continue reading →

Following the discovery of an SQL injection vulnerability in its XG Firewall product, Sophos has released an emergency patch to protect users against hackers.

The vulnerability affects both physical and virtual XG Firewall units, and signs of attacks were first noticed last week. Attackers exploiting the vulnerability on unpatched firewalls would be able to access all local usernames and hashed passwords of any local user accounts, including local device admins, user portal accounts, and accounts used for remote access.

Continue reading →

After discovering a no fewer than seven security vulnerabilities in Safari for iOS and macOS, a researcher has received a $75,000 bug bounty pay out from Apple.

Ryan Pickren, a former Amazon Web Services (AWS) security engineer, found a series of security flaws in Apple's web browser, some of which could be exploited to hijack the camera of a Mac or iPhone to spy on users. The webcam hacking technique combined a total of three zero-day bugs.

Continue reading →

Less than half of organizations can patch vulnerable systems swiftly enough to protect against critical threats and zero-day attacks, and 81 percent have suffered at least one data breach in the last two years.

A new report from cyber hygiene platform Automox cites the pace of digital transformation and modern workforce evolution, difficulty in patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in SecOps and IT operations as inhibitors to patching.

Continue reading →

Microsoft has warned that all versions of Windows feature critical unpatched RCE vulnerabilities. The security problems stem from the Windows Adobe Type Manager Library, and relates to the parsing of fonts.

The company is working on a fix which will be released when the next Patch Tuesday rolls around -- but for Windows 7 users, despite the critical nature of the bugs, it is only those who have paid for an ESU licence that will get the security update. There is a bit of good news, however. While the vulnerability is yet to be patched, there is a workaround available that will do the job for the time being.

Continue reading →

Open source components are the building bricks of many of today's software applications, but this puts them under increased scrutiny with regard to security.

Open source management specialist WhiteSource has released a new report which shows that disclosed open source software vulnerabilities in 2019 skyrocketed to over 6000, up almost 50 percent.

Continue reading →

Both the NSA and a cybersecurity firm have reminded the tech world of the existence of a remote code execution vulnerability in Microsoft Exchange Server.

Although Microsoft issued a patch for CVE-2020-0688 last month, numerous state-sponsors hacking groups have been spotted exploiting the vulnerability. There was an uptick in exploitation after a technical report of the details of the vulnerability were published by a security researcher.

Continue reading →

Details of a nine-year-old security vulnerability with the sudo utility found in numerous Unix and Linux based operating systems have been revealed.

The flaw, which affects the likes of Linux Mint and Elementary OS, could be exploited to give users root privileges on a vulnerable system. Sudo versions 1.7.1 to 1.8.30 are at risk if the pwfeedback option is enabled.

Continue reading →

2019 was the third year in a row that Microsoft technology was most affected by vulnerabilities, with eight of the top 10 vulnerabilities identified targeting its products.

This is a key finding of the Recorded Future annual vulnerability report which also shows that for the first time six of the vulnerabilities, all impacting Microsoft, were repeats from the prior year.

Continue reading →

Apple's Safari web browser was found to have multiple security flaws that allowed for user's online activity to be tracked, say Google researchers.

In a yet-to-be-published paper, the researchers reveal issues in a Safari feature which is actually supposed to increase user privacy. The Intelligent Tracking Prevention (ITP) feature found in the iOS, iPadOS and macOS version of the browser is meant to block tracking, but vulnerabilities mean that third parties could have accessed sensitive information about users' browsing habits.

Continue reading →

The vulnerability-finding Project Zero has found Google on the end of both criticism and praise, but there has long been concern about the policy of being very quick to reveal details of vulnerabilities that have been discovered.

Previously Project Zero has given software developers a 90-day window of opportunity to fix bugs before it goes public. Details of vulnerabilities would also be published as soon as a fix was released. For 2020, Google is trying something new. The company will wait a full 90 days before disclosing a vulnerability, regardless of when the bug is fixed.

Continue reading →

Multiple vulnerabilities in the popular TikTok video-sharing app and its back end could have allowed attackers to manipulate content on user accounts, and even extract confidential personal information.

Researchers at Check Point have found that an attacker could send a spoofed SMS message to a user containing a malicious link. If the user clicked on the link, the attacker was able to access the user's TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or 'hidden' videos public.

Continue reading →

Organizations face a greater range of cyber threats than ever before. The key to dealing with these threats is better intelligence about the latest vulnerabilities.

We spoke to Jay Prassl, CEO of cyber hygiene startup Automox, which has recently launched an open community to foster cyber hygiene best practices, to find out more about how crowdsourcing and information sharing can help reduce the corporate attack surface.

Continue reading →

According to a new study 90 percent of IT professionals believe disclosing vulnerabilities serves a broader purpose of improving how software is developed, used and fixed.

The survey from application security testing specialist Veracode finds more than a third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, improving overall security.

Continue reading →