Security News > 2020 > April

It's not 'Patch Tuesday,' but software giant Adobe today released emergency updates for three of its widely used products that patch dozens of newly discovered critical vulnerabilities. The list of affected software includes Adobe Illustrator, Adobe Bridge, and Magento e-commerce platform, containing a total of 35 vulnerabilities where each one of them is affected with multiple critical arbitrary code execution flaws.

A high-severity cross-site request forgery vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site. In April a pair of security vulnerabilities in the WordPress search engine optimization plugin known as Rank Math, were found.

Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that's distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure. Kaspersky's report follows previous research from BlackBerry, which connected OceanLotus to a trio of fake apps for Android last year.

Guardicore's open source breach and attack simulation platform Infection Monkey now maps its attack results to the MITRE ATT&CK framework, allowing users to quickly discover internal vulnerabilities and rapidly fix them. Infection Monkey operates within organizations' existing environments, whether cloud, on prem, hypervisors or containers, and finds and maps lateral movement paths through the environment using real world exploits.

New rules that will take effect on June 1 require critical information infrastructure operators in China to conduct cybersecurity reviews when acquiring network products and services. The new rules were first mentioned in the controversial cybersecurity law adopted by China in 2017, and a dozen Chinese government agencies have now shared more information on how tech products should be analyzed.

The attack accuses victims of possessing pornography, encrypts all files on the device, and then instructs them to pay a fine to unlock the data, according to Check Point Research. After a successful infection on an Android device, Lucy encrypts files and then displays a ransom note in a browser window.

Cloud security company Accurics on Tuesday emerged from stealth mode with $5 million in funding and a free tool that allows organizations to quickly assess their risk posture. "Our goal in developing the Accurics platform was to protect the full cloud native stack throughout the DevOps lifecycle, from the moment it's defined in code and throughout the lifecycle of infrastructure being employed in production," said Piyush Sharrma, co-founder and CTO of Accurics, who previously served as head of engineering at Symantec.

The "Real-Time Find and Replace" WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website. Designed to allow WordPress site admins to dynamically replace HTML content from themes and other plugins with content of their choosing before the page is served to users, the plugin is available as open source and has over 100,000 installations.

Mozilla's latest "*Privacy Not Included" report shows that twelve out of fifteen popular video call applications and platforms meet the organization's minimum security standards. What Mozilla's researchers discovered was that twelve of the analyzed apps meet Mozilla's Minimum Security Standards.

To help individuals and organizations choose video call apps that suit their needs and their risk appetite, Mozilla has released a new "Privacy Not Included" report that focuses on video call apps. Three of the evaluated apps have failed to meet Mozilla's Minimum Security Standards, but that doesn't mean that they should not be used.