Security News > 2020 > December

Microsoft's final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products. The December security updates include fixes for code execution vulnerabilities in the company's flagship Windows operating system and serious problems in Microsoft Sharepoint, Microsoft Exchange, HyperV, and a Kerberos security feature bypass.

These include an updated secure DNS service that hides the identity of the client, a password protocol that means a password is never transmitted to the server, and an encrypted "Client hello" that does not leak server names. Peek, poke, now PAKE. Third up is OPAQUE password, the name being, it seems, some sort of pun on Oblivious Pseudo-Random Function combined with Password Authenticated Key Exchange.

Cloud hosting and IT services provider Netgain was forced to take some of their data centers offline after suffering a ransomware attack in late November. On December 4th, customers began receiving emails from Netgain stating that they may experience "System outages or slowdowns" due to a cyberattack on the hosting provider.

API security platform provider Salt Security announced on Tuesday that it has raised $30 million in Series B funding led by Sequoia Capital, with participation from existing investors Tenaya Capital, S Capital VC, and Y Combinator. Founded in 2016 by Michael Nicosia, and Roey Eliyahu, Salt Security has developed an API Protection Platform that uses big data and artificial intelligence to find and monitor APIs.

More than 100 medical devices made by GE Healthcare are affected by a potentially serious vulnerability that could allow an attacker to access or modify protected health information, medical cybersecurity company CyberMDX reported on Tuesday. The vulnerability, which is tracked as CVE-2020-25179 with a critical severity rating, has been found to impact CT scan, molecular imaging, PET, X-Ray, ultrasound and mammography devices, as well as workstations and imaging devices used in surgery.

A pair of critical vulnerabilities have been discovered in dozens of GE Healthcare radiological devices popular in hospitals, which could allow an attacker to gain access to sensitive personal health information, alter data and even shut the machine's availability down. GE has confirmed the vulnerability, which impacts the radiological devices as well as certain workstations and imaging devices used in surgery, according to the CyberMDX alert.

Leading cybersecurity company FireEye disclosed today that it was hacked by a threat actor showing all the signs of a state-sponsored hacking group. The attackers were able to steal Red Team assessment tools FireEye uses to test customers' security and designed to mimic tools used by many cyber threat actors.

Adobe Systems has stomped out critical-severity flaws across its Adobe Prelude, Adobe Experience Manager and Adobe Lightroom applications. This month's Adobe patch roundup included a critical cross-site scripting vulnerability in Adobe Experience Manager, the company's content-management solution for building websites, mobile apps and forms.

With the holiday season in bloom, watch out for scams that promise free gift cards or offer to check your gift card balance, says Bolster. A report released Tuesday by fraud prevention company Bolster looks at two types of gift card scams ringing in the holiday season and offers tips on how to avoid them.

Adobe on Tuesday announced that security updates for its Prelude, Experience Manager and Lightroom products patch critical arbitrary code execution vulnerabilities. In the Windows and macOS versions of the Prelude video logging and ingest tool, Adobe fixed a critical uncontrolled search path issue that can lead to arbitrary code execution in the context of the targeted user.