Security News > 2020 > November

Mozilla and Google have already patched the critical Firefox and Chrome vulnerabilities exploited recently by white hat hackers at a competition in China. The flaw was fixed with the release of Firefox 82.0.3, Firefox ESR 78.4.1 and Thunderbird 78.4.2 just a couple of days after it was disclosed at the 2020 Tianfu Cup International PWN Contest, which took place over the past weekend in China.

Microsoft has released the November 2020 Office security updates with a total of 22 updates and 5 cumulative updates for 7 different products, fixing 14 vulnerabilities with five of them potentially enabling remote attackers to execute arbitrary code on vulnerable systems. The highlight of this month's Office security updates is CVE-2020-17061, a high severity Microsoft SharePoint vulnerability discovered by Oleksandr Mirosh from Micro Focus Fortify that leads to remote code execution.

A vulnerability identified recently by researchers at storage giant Western Digital in the Replay Protected Memory Block protocol impacts the products of several other major companies, including Google, Intel and MediaTek. The RPMB feature is designed to protect devices against replay attacks by providing an authenticated and protected area for storing data that ensures each message is unique and cannot be replayed.

NVIDIA released a security update for the GeForce Now cloud gaming Windows app to address a vulnerability that could allow attackers to execute arbitrary code or escalate privileges on systems running unpatched software. NVIDIA's cloud gaming service can be used by customers who own NVIDIA Shield, desktop, or mobile devices via dedicated apps.

Muhstik is a botnet that leverages known web application exploits to compromise IoT devices, such as routers, to mine cryptocurrency. Although Muhstik botnet has been around for at least 2018, in December 2019, Palo Alto Networks had identified a new variant of the botnet attacking and taking over Tomato routers.

The Czech Republic's intelligence agency said Tuesday Russian and Chinese spies posed an imminent threat to the EU member's security and other key interests last year. All Russian intelligence services were active on Czech territory in 2019.

The new rules put a stress on human rights as a key criteria for approving or refusing export licenses. In an announcement this week, the EU said: "Parliament negotiators have succeeded in substantially strengthening human rights considerations among those new criteria to avoid that certain surveillance and intrusion technologies exported from the EU contribute to human rights abuses."

The thing is, cybersecurity isn't a battle that's ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. Combine this easier access to enterprise systems with the increased willingness to hand over information and a drop in vigilance, and you can see how this all became a new kind of game.

This week Samsung has started rolling out Android's November security updates to mobile devices to patch critical security vulnerabilities in the operating system and enhance overall features on the devices. This comes after Android had published their November 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.

During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365.